glFusion Stories

glFusion Patch Updates

Thu, 11 Jun 2009 10:06:27 -0500

With our commitment to quality and timeliness, we have been posting small fixes to glFusion in the Known Issues page and via the Known Issues RSS feed. We recently implemented a new process where we roll these fixes into the distribution archives as well. This means if you download glFusion v1.1.4 today, you will have all the current patches for the existing known issues. Each set of patches is identified by a patch level. As of today, we are at patch level 3 (pl3). If you go into the Command & Control screen, you will see the current patch level of your system. Each known issue also states which patch level it has been included with.

There are two methods to apply the patches. You can download each updated source file from the Known Issues page, or you can grab the latest incremental release and re-apply it to your site. Since the distribution archives are refreshed with each set of patches, both the full and incremental releases will contain all the current patches. Patch level updates do not require that you run the automated installer / updater since they will never contain database updates.

Generally, patches should not require template changes either, but occasionally there are exceptions. Because of a bug which could affect a site’s server load, pl2 did make a change to the htmlheader.thtml template. The Template Change wiki information was updated at that time to reflect the change.

Our goal is to ensure you have the best CMS out there and that any issues that are identified are resolved and available as soon as possible.

Static page link tag for Dokuwiki plugin

Sun, 31 May 2009 15:36:42 -0500

This plugin adds a custom staticpage tag to DokuWiki, allowing you to link in static pages from glFusion.

 [[staticpage:id]] - or - [[staticpage:id | Alternative text]]

Available here: Static page link tag for Dokuwiki plugin

File link tag for Dokuwiki plugin

Sun, 31 May 2009 11:12:43 -0500

This plugin adds a custom file tag to DokuWiki, allowing you to link in files from the glFusioin File Manager.

 [[file:id]] - or - [[file:id | Alternative text]]

Available here: FileLink plugin

glFusion State of the Union 09

Sat, 30 May 2009 14:35:20 -0500

June 8, 2009 will be a great day! Besides being my son's birthday, it also will mark the one year anniversary of the birth of glFusion. As we look back, we've seen rapid growth and development of glFusion, and its community, within the last year, and are pleased with how things have evolved and progressed.

By my count, we've had 11 releases of glFusion (rc's and finals combined), published and updated an almost 400 page documentation manual, released several plugin updates, and resolved 192 of 278 reported issues or feature requests. That's quite an achievement! We'd like to take a moment and thank the glFusion community for making all this possible! Without your support, input, and ideas, we surely wouldn't be where we are today! Thank you!

With that being said, we'd like now to look toward the future, and see what's on the horizon for glFusion. Put on your sunglasses, because things are looking bright! Read on...

Where are we headed?

If you look at the roadmap, you'll see that the next release of glFusion will primarily focus on layout enhancements. We've been building a pretty good foundation over the last couple of releases by adding functionality that supports layout customization. This includes:

separating color information from other style information to make quick color customizations easier.

including 'custom' directories in each folder where templates reside so folks can put their customizations there so they won't be overwritten on a site upgrade.

a config switch to show template locations in page source so folks can easily see where template files come from as they are compiled to make a complete glFusion page.

the ability to fallback to default template, css, and image files in additional layouts so they aren't redundantly included for each new layout installed in glFusion. This will make new layouts lightweight and easy to create and distribute.

With the above in place, we can now begin work on creating online tools so that layouts and layout related files can be managed, configured, and edited directly from within the glFusion interface. Similar to how the plugin auto-install process works, our goal is to allow the upload of a single layout package that glFusion will then extract and install in the appropriate location(s). We also intend to bring some layout information into the database so that folks can take advantage of the permissions system and other functionality in glFusion. There's more in the works, but we'll let that whet your appetite for now! ;-)

What you can do to help

This brings us to the point where we need input from you and the rest of the glFusion community. You'll notice the new Potential Layouts random image block in the upper left corner here at glFusion.org. These images link to entries in a gallery of over 200 open-source layouts that I've been collecting over the past few months, which we are considering including (some of them at least ;-) with glFusion. We humbly ask that you look them over and rate them according to your liking. Please keep a couple things in mind though:

We've only included the thumbnail images (and if you click on any of them, a slightly larger lightbox version) on purpose, as the goal is to get a quick 'gut' reaction to each layout. If you would like to see the full layout, please do a Google search for the layout name. We've also turned the rating speed limit down to 3 seconds, so the rating process should go fairly quickly. :-)

As you rate each layout, think beyond just the initial look of it, to a broader sense of how the layout could be used in a wide range of applications. Some layouts are geared towards blogging, others toward news/magazine type sites, others toward gallery presentation, etc. Give them all fair consideration and hopefully multiple types of layouts will float to the top via the rating process.

Feel free to comment on any of the potential layouts. The more feedback we get, the better we can meet the needs of the glFusion community!

You'll also notice a new Layout Design Poll in the left column as well. Please take a moment to answer the 5 questions. Once the community has had a chance to speak out, our plan is to take the ratings and poll information and include the most popular layouts with future releases of glFusion.

Additional areas where you can help

Create Layouts

With these new tools coming into place, it's time to start gearing up and creating new layouts. Since there aren't enough hours in the day for me to port them all over to glFusion, we are asking the community to step up and play around 'under the hood' with layouts that you find interesting.

Many hands make light work, and the more folks that pitch in, the larger the variety of layouts we will have to choose from. Feel free to browse the layout documentation and the Nouveau layout and Widget documentation and learn about all the cool stuff you can do to customize your layouts. You can also reference a tutorial I wrote a while back on porting a layout. If you need any pointers, the forums are a great place to get help and share ideas with other community members. Working together, we can put together some amazing things!!!

Develop Plugins

For those of you with mad PHP skills, your contributions in the form of plugins that extend and enhance the functionality of glFusion would be greatly appreciated. The developer documention in the wiki is a great place to start learning about all the APIs and hooks available to use in your projects. We can setup SVN repositories for plugin authors that would like to make their code available for collaboration and versioning. Also, feel free to use the resources here at glFusion (forums, wiki, etc.) to discuss your project ideas and to provide support for your work.

Half the fun in the development process (at least for me) is the chance to work with others. There are always some great ideas that slip my mind at times, and having others provide input makes my work much better. I love to feed off of Mark's energy and ideas, and I know that he feeds off of my enthusiasm and ideas as well. glFusion is all about synergy; the concept that the sum of the whole is greater than the individual parts. By sharing your work, and forming friendships with other folks with the same interests, I know we can all develop something great!

Write Documentation

Those of us that aren't PHP gurus (like myself), can still make valuable and important contributions to the glFusion community by enhancing the online documentation. Some have said before that documentation is 'boring', but I feel that it is actually one of the most interesting aspects of glFusion! I've learned so much about things you can do with glFusion by reading and editing the documentation. Give it a try!

The wiki is open and editable to anyone with a free glFusion.org site account. We strongly encourage you to take a few minutes and read about something that interests you, and then add anything that might be missing, or needs clarification. Also, we recently opened up the wiki so that it can be translated into multiple languages by folks in the community. Just look for the Translations of this page link in the top right of the wiki pages. Don't see a language listed there, just contact us and well get it on there! :-)

Use the Tracker

Finally, we always need help in submitting feature requests, ideas, and issues that you may come across, to our tracker. This way, we can make sure to focus on the things the community needs and wants, and continue to make glFusion better, more robust, and easier to use.

We encourage folks to dig deeper than just submitting a quick bug report or feature request. Feel free to browse tickets opened by others and comment on them and add your thoughts and ideas.

Spread the word about glFusion

glFusion has seen some amazing growth in the past year. We hope this trend continues and we anticipate the community will continue to flourish. Admittedly, the first year of any CMS is always approached with caution by those who use those technologies to pay the bills and feed their families. When Joomla decided to fork from the Mambo project, their first year was slow to build up steam, but just look where they are today! I know as we continue to be excited about glFusion, and tell our friends and colleagues about this great new piece of software that we've discovered, our community can reach similar achievements.

Also, please take a moment to provide feedback and ratings about glFusion at opensourcecms.com. We've seen a lot of new user traffic from the folks there, and feel that it is a great resource to attract like minded developers and users looking for a powerful yet easy to use CMS.

Conclusion

We've had some good times this past year taking glFusion to where it is today. As we gear up for another year of development, we'd love to hear your input and ideas. glFusion truly thrives on its community. We are grateful and honored to have you with us. Drop us a line soon, and Happy Surfing! :-)

DokuWiki Integration Plugin v1.7.1 Released

Tue, 26 May 2009 12:05:31 -0500

We have released a minor update to the DokuWiki Integration plugin that resolves a potential local file include vulnerability if PHP's register_globals is on. You can download the full DokuWiki v1.7.1 release here.

The only change in this release is to the public_html/dokuwiki/inc/init.php file. For existing DokuWiki users, you can download and apply the follow patch to resolve the issue:

public_html/dokuwiki/inc/init.php

glFusion v1.1.4 Released

Tue, 19 May 2009 19:00:08 -0500

The team at glFusion.org is pleased to announce that glFusion v1.1.4 is now available for download! This release contains some security enhancements, several minor bug fixes, and a few new features.

The primary focus of glFusion v1.1.4 was to provide a more secure and stable content management system. Specifically we have made several improvements to the handling of user input to ensure only proper data is allowed and that all user supplied data is properly filtered. We’ve also moved a few items around to reduce the number of writable directories required by glFusion. Specifically, the public_html/ directory no longer needs to be writable by the web server for glFusion to properly run.

We've also expanded the ability to customize a site, without worrying about customizations getting lost in the upgrade process. In addition to allowing custom template (.thtml) files, which was introduced in a previous release, you can now define language overrides in a similar manner, which allow you to customize the language texts. Another popular request voiced by the community, was to add the ability to change the owner of static pages and file management files. With glFusion v1.1.4 you can now easily edit the owners of these items.

glFusion v1.1.4 Full Release (.tar.gz) glFusion v1.1.4 Incremental Release (.tar.gz)

glFusion v1.1.4 Full Release (.zip) glFusion v1.1.4 Incremental Release (.zip)

Security Notification

The security of your web site is very important to us. If a vulnerability in glFusion is found, we try to fix it immediately. The challenge is informing our users of the risk and the fix. We now offer the glFusion Announce Mailing List that you can subscribe to. We will post all known issues and security issues to this list. We also offer a Known Issues / Security Updates RSS feed you can subscribe to as well. We recommend that you subscribe to at least one of these items.

Improved Usability

With improved security also comes potential usability problems. One area where security controls have caused issues in the past is the use of security tokens to validate input is coming from a known source. Security tokens are only valid for 20 minutes which has caused problems when creating large static pages. With glFusion v1.1.4, saving a static page after the security token has expired will not cause all your data to simply vanish, instead you will be presented with a message that the token is invalid and you should try the save again.

Another security control that has caused some issues is validating the long term cookie to the IP address that originally created it. Normally, when you log into a glFusion site, a long term cookie is set in the browser that contains an encrypted version of your password. This allows you to automatically login to the site hours later. In v1.1.3 we added a security control to validate the IP address of the user to the IP address that originally created the long term cookie. This works great in most cases and removes the ability for someone to masquerade as another user. Unfortunately, if you have users who use the web while behind a set of proxy servers, their IP address may change with each page load. We’ve now included the ability to turn off this check if it is causing problems for your users.

We’ve also implemented the ability to change the owner of stories, static pages, and file mgmt files.

If you have a custom htmlheader.thtml file, you must update it to be compatible with this change. See the Template Changes section of the documentation wiki for details.

If you are running the Chameleon Theme, you'll see to update to Chameleon v2.1.3 which is compatible with this change.

For a full list of changes, please see the What's New Wiki Page.

What's on the Horizon

The next version of glFusion will introduce some exciting new improvements to the way layouts are created and managed. In addition to wrapping up v1.1.4, we've been doing some work "behind the scenes" to prepare to get the community's feedback on future inclusions. We expect to roll them out soon, so please come back and visit glFusion.org often and take a moment to provide your input! Together, we can continue to grow glFusion and the glFusion community!

User Settings SQL Injection Vulnerability - glFusion v1.1.3

Thu, 16 Apr 2009 10:43:15 -0500

Another exploit has been published for Geeklog <= 1.5.2 that performs a SQL injection attack in the usersettings.php to compromise a user's password hash and masquerade (automatically login) as that user (including Admin accounts). This exploit could be adapted to work on glFusion as well.

Although glFusion v1.1.3 is not vulnerable to the user masquerading exploit using the password hash in the long term cookie, it is still important to patch this vulnerability to ensure there are no other holes available to an attacker.

public_html/usersettings.php

This fix should only be applied to glFusion v1.1.3.

Possible SQL Injection Vulnerability - glFusion v1.1.3

Thu, 09 Apr 2009 12:46:53 -0500

An exploit has been published for Geeklog <= 1.5.2 that performs a SQL injection attack to compromise a user's password hash and masquerade (automatically login) as an admin user. This exploit could be adapted to work on glFusion as well. Although glFusion v1.1.3 is not vulnerable to the user masquerading exploit using the password hash in the long term cookie, it is still important to patch this vulnerability to ensure there are no other holes available to an attacker.

We have updated 3 key files in glFusion to help prevent SQL injection exploits:

private/system/lib-security.php

private/system/lib-sessions.php

private/system/lib-webservices.php

It is recommended that you update your site as soon as possible with these updates.

NOTE: This exploit takes advantage of the Remote Webservices featue of glFusion which is enabled by default. You can turn off webservices by going into the Online Configuration System - Miscellaneous - set Disable Webservices to true. This will prevent this specific exploit from succeeding.

These fixes should only be applied to glFusion v1.1.3.

glFusion v1.1.3 Released

Fri, 03 Apr 2009 21:33:07 -0500

The team at glFusion.org is pleased to announce that glFusion v1.1.3 is now available for download! This release contains some critical security fixes along with several minor bug fixes.

There are three security updates included with this release to address the following issues:

SQL Injection issue which could allow an attacker to compromise (gain access) any user's password hash. This was a very serious vulnerability which could allow your admin user account to become compromised.
User Masquerading which could allow an attacker to log in as any user if they knew the password hash of the user. By setting the appropriate cookie on their own browser, you could bypass the user name / password screen and log in directly. Combined with the SQL Injection issue above, this would allow an attacker to easily log in as any user.
Cross Site Scripting (XSS) Issue which could allow an attacker to use a glFusion site in cross site scripting attacks.

All of these issues have been fixed in glFusion v1.1.3 and some additional checks have been included to help prevent future issues like these.

glFusion v1.1.3 Full Release (.tar.gz) glFusion v1.1.3 Incremental Release (.tar.gz)

glFusion v1.1.3 Full Release (.zip) glFusion v1.1.3 Incremental Release (.zip)

Security Notification

The security of your web site is very important to us. If a vulnerability is found, we try to fix it immediately. The challenge is informing our users of the risk and the fix. We now offer the glFusion Announce Mailing List that you can subscribe to. We will post all known issues and security issues to this list. We also offer a Known Issues / Security Updates RSS feed you can subscribe to as well. We recommend that you subscribe to at least one of these items.

Ability to turn on / off template caching

Caching of the template files generally provides a significant performance boost, but we have found in some environments it can actually have a negative impact on performance. Specifically, on sites where the disk access is slower, caching of the templates will slow down the site and add to the server load. A good is example is Windows based servers that use network shares to store the web directories.

You now have the ability to control whether or not the templates are cached. In the Online Configuration system, under Themes, is the new option Enable Template Caching. We recommend you do your own tests, disable caching and see how it affects the performance of your site.

Improved CSS and JavaScript Output

glFusion v1.1.1 added a new feature to consolidate all CSS and JavaScript output into a single call for the browser. This significantly improved the page load times. Now that this feature has been well exercised, we've also discovered it can add some extra CPU load to the server. We've redesigned how the CSS and JavaScript is spooled so we now have the best of both worlds, improved page load times and no additional server load.

If you have a custom htmlheader.thtml file, you must update it to be compatible with this change. See the Template Changes section of the documentation wiki for details.

If you are running the Chameleon Theme, you'll see to update to Chameleon v2.1.2 which is compatible with this change.

For a full list of changes, please see the What's New Wiki Page.

glFusion v1.1.2 and earlier SQL Injection Issue

Fri, 03 Apr 2009 15:48:32 -0500

An additional SQL injection vulnerability has been identified in all current versions of glFusion that could allow an attacker to expose the password hash for any user on your site. This could lead to an attacker successfully logging into your site using those compromised credentials.

All glFusion users should replace the lib-sessions.php source file with this updated version which will remove the vulnerability:

private/system/lib-sessions.zip

glFusion v1.1.3 has been released and includes all security fixes.