An additional SQL injection vulnerability has been identified in all current versions of glFusion that could allow an attacker to expose the password hash for any user on your site. This could lead to an attacker successfully logging into your site using those compromised credentials.
All glFusion users should replace the lib-sessions.php source file with this updated version which will remove the vulnerability:
private/system/lib-sessions.zip
glFusion v1.1.3 has been released and includes all security fixes.
There has been an vulnerability identified in all current glFusion versions that will allow an attacker to expose the password hash for users on your site, including the Admin user. This could lead to an attacker successfully logging into your site using those compromised credentials.
All glFusion users should replace the listfactory.class.php source file with this updated version which will remove the vulnerability:
private/system/classes/listfactory.class.php
This exploit has highlighted some additional concerns that we are currently investigating and will post any additional updates when necessary.
The plugin auto installer does not handle some errors as gracefully as it should. This update will improve the error handling and also provide some additional protections from timing out when installing large plugins like DokuWiki.
To apply the fix, download the following source updates and copy these new files over the existing files on your server.
public_html/admin/plugin_upload.php
This fix should only be applied to glFusion v1.1.2.
A feature of FM is to map extensions and rename certain extensions to safer versions. If the upload is not-moderated (sent to the queue) the rename does not happen.
To apply the fix, download the following source updates and copy these new files over the existing files on your server.
public_html/admin/plugins/filemgmt/index.php
public_html/filemgmt/submit.php
These fixes should only be applied to glFusion v1.1.2.
When editing a calendar event, the minutes drop down is empty. This is caused by a typo in the eventeditor.thtml template.
To apply the fix, download the following source update and copy this new file over the existing file on your server.
private/plugins/calendar/templates/admin/eventeditor.thtml
This fix should only be applied to glFusion v1.1.2.
In the horizontal navigation menu, the blue hover state wouldn't show (IE6 only).
To apply the fix, download the following source update and copy this new file over the existing file on your server.
public_html/layout/nouveau/ie6.css
This fix should only be applied to glFusion v1.1.2.
The copy.png icon was broken.
To apply the fix, download the following source update and copy this new file over the existing file on your server.
private/plugins/sitetailor/templates/menulist.thtml
This fix should only be applied to glFusion v1.1.2.
If you remove all groups from a user, glFusion will crash with an SQL error.
To apply the fix, download the following source update and copy this new file over the existing file on your server.
private/system/lib-security.php
This fix should only be applied to glFusion v1.1.2.
When creating a new story, the default topic is not selected as the default in the topic drop down.
To apply the fix, download the following source update and copy this new file over the existing file on your server.
This fix should only be applied to glFusion v1.1.2.
When viewing a user's profile, a missing icon is shown just below the user's profile picture.
To apply the fix, download the following source update and copy this new file over the existing file on your server.
This fix should only be applied to glFusion v1.1.2.