glFusion v1.2.0 continues our commitment to providing a secure and robust content management system. This releases contains some significant security updates, several consistency tweaks, and several improvements to the administrative functions. All glFusion users are encouraged to upgrade as soon as possible.

For those who are upgrading, please don't forget to run the Upgrade Wizard after you have loaded the files to your server.

Some of the enhancements below required us to make some changes to the template files. Be sure and check out the Template Changes page and update any of your custom templates.

Defense in Depth Security Enhancements

Improved Password Encryption

With this release we have replaced the password encryption algorithm with a much more security method. Previously, glFusion relied on MD5 encryption, which has started to show its age and has been proven to be breakable. Your current users will continue to use the MD5 method until they change their password. Any new users, and users who change their password, will automatically start using the newer encryption method.

Improved Session Handling

In prior versions of glFusion, the method used to allow users to automatically login for an extended period of time (the Remember Me setting in My Account) would expose the MD5 password hash. The cookie used to allow the auto login contained the MD5 hash of the user's password.

There are a couple of problems with this approach. First, if the cookie were to be stolen or hijacked, it is possible someone could crack the MD5 encrypted password. Second, the length of time the cookie is valid (time to live) was controlled by the client, not the server. Basically, glFusion had no way to enforce how long the cookie was valid.

glFusion has always had extra protections to help mitigate the two items above. glFusion would validate the IP address of the user who set the cookie matched the user who was trying to use it. Still, with the weak encryption that MD5 offers, exposing the encrypted password simply is not a good practice.

With glFusion v1.2.0, the 'Remember Me' automatic login process has been completely re-engineered so the user's encrypted password is no longer used. Instead, session tokens are used and their time to live is now controlled in glFusion. These enhancements combined with the existing IP checking provide for a much more secure environment.

Administrative Features Require Re-authentication

With glFusion v1.2.0, we now require re-authentication before allowing access to the administrative features of the site. This provides another layer of defense for your site. Although we have several significant protections in place to protect the long term cookie (Remember Me), this additional protection is simply one more layer of protection.

General Code Improvements

We continue to perform code reviews and make necessary adjustments to improve the overall security posture of the system. Once specific area where we focused during this release cycle was the use of the PHP function addslashes. This function is used to protect SQL queries from SQL injection attacks. We have replaced the use of addslashes() with the mysql_real_escape_string() function which provides better protection.

Summary

These are all defense in depth enhancements. This means we do not rely on just 1 or 2 protection methods, we have several layers to provide the best protections we can. We honestly don't know what the next vulnerability will be, but our goal is to lessen the effectiveness of any potential breaches. It is one thing to claim to be a secure environment, but without a good defense in depth approach, talk is cheap.

Administrative Enhancements

Look and Feel

Mark Howard has been very busy reworking many of the administrative screens to make them both consistent in look and feel, and to make them much more usable.

User Editor

There is a new user editor in glFusion v1.2.0 that allows the site administrator to edit all attributes about a user, including their preferences for 3rd party plugins.

Global User Preference Editor

The Global User Preference Editor allows the site administrator to change certain user preferences for all users. For example, if you decide that you would prefer the comments show in a nested format, you can change the site default, but that does not override each user's individual preference. You can now reset all users to use the nested format.

Default Groups

You can now assign specific groups to users automatically through the Group Editor user interface. In past versions of glFusion, you had to write a custom PHP function to accomplish this goal. The Private Message plugin uses this feature, where it sets the PM Users group as a default group. This will automatically allow all users to send / receive private messages. As an example, if you had a user who was abusing the privilege (sending too many messages, bothering or harassing other users), you then simply remove them from the PM Users group, and they no longer have access to the PM plugin.

Consistency Improvements

We've reviewed the general functionality of various components of glFusion and tried to bring an improved consistency to how certain tasks are handled.

Login Required

If a function requires the user to login, we now present the login screen with a message stating that access to this area requires you to login, instead of just a message stating login required.

Navigation / Extra Block Display

We have implemented the option for all plugins to determine if the right / left navigation columns should display. In the past, some plugins supported this, others didn't. Now, the majority of the 3rd party plugins support this feature.

Comment Enhancements

Eric and I have reworked the overall style of comments in glFusion v1.2.0. It now defaults to include the comment author's avatar within the comments. Comments made by the article author (the person who wrote the original story) can be styled differently from the others to make them stand out more. We even included a way to specify styling for comments made by certain groups of users (say all Root users, etc.) We have changed the default view mode to nested, which really does a much better job of presenting comments. Finally, we have added a configuration option to allow you to specify which editor (Text, HTML, or WYSIWYG) to use for posting comments.

Improved User Registration

We have added the much requested option to allow users to select their own password at registration time. Now you have the option to allow new users to choose their own password and receive an activation email when they register. With this registration method, once they select the link in the activation email, their account will be activated. We believe this new feature will make for a much better user registration experience. For more details, see the User Registration documentation.

glFusion v1.2.0

• Add rel=“nofolllow” to bbcode url (Mark)
• Updated / new Czech translations compliments of Ivan Simunek (Mark)
• General (x)HTML compliance fixes (Eric)
• Added help text for Registration Type (Eric)
• Moved comments links to same line in story footer (Eric)
• Add check to ensure user photo physically exists, if not return default user photo (Mark)
• Added 2 new configuration options for comments: (Mark)
  • comment_postmode - set default postmode for comments (Text/HTML)
  • comment_editor - select between text box or WYSIWYG
• Implemented profile photos and custom author and group css in comments (Mark & Eric)
• Changed default comment mode to Nested (Eric)
• Fixed orphaned p tag in story footer preview when editing a story (Eric)
• Moderation: Admin interface improvements and extensive rewrite (Mark H.)
  • New feature: Only display submission lists for item types in queue
  • New feature: Display user who submitted item
• Story Admin: Admin interface improvements and code scrub (Mark H.)
• Convert session cookie to use MD5 token instead of random number (Mark)
• Use mt_rand() instead of rand() and seed once per session (Mark)
• Ensure rating value is properly formatted and escaped prior to inserting into database (Mark)
• New option for block location - all except home page (Mark)
• Layout on Register screen now matches the layout on Login screen (Eric)
• Allow users to select their own passwords and implement verification email (Mark)
• Ratings were not moved to new story when story id changed (Mark)
• Fixed default username and password being translated accidentally (Eric)
• Improved bbcode cheat sheet based on nouveau theme (Eric)
• Updated public_html/docs/config.html with new search info (Eric)
• Added ability to create remote users (when enabled) (Mark)
• Move services dropdown after password on login forms (Mark)
• Implement skip token re-init on admin auth (Mark)
• Topic block - do not mark inactive if $topic is blank (Mark)
• New permission - stats.view - controls access to Stats page (Mark)
• Added wrapper static page widget (Eric)
• Plugin Admin: Code scrub/UI improvements (Mark H.)
• Topic Admin: New list-based manager, code scrub/UI improvements (Mark H.)
  • New feature: Client-side validation for required fields (Mark)
• General E_ALL fixes (Mark)
• Updated FCKeditor to v2.6.6 (Mark)
• Clean up search results a bit (improve formatting) (Mark)
• Implemented sort story by option in topics (Mark)
• Implemented COM_truncateHTML() in feeds - ported from Geeklog (Mark)
• Moved Multiple Language configuration options to their own fieldset in hopes this will remove some of the confusion on these fields (Mark)
• Added ability for plugins to specify admin group flag and default flag during auto install. (Mark)
• Updated all bundled plugins to properly set admin group flag. (Mark)
• Removed $_SYSTEM['skip_ip_check'] now use online configuration : Session IP Validation - select how much of the IP to validate or disable completely (Mark)
• Removed configuration option: default search order, it simply doesn't make sense to allow alternative sort methods with the weighting that goes on with the results. (Mark)
• Administrative function access now requires the user to re-authenticate (Mark)
• New database function - DB_escapeString(), this should be used instead of addslashes() to escape data prior to using in a SQL query (Mark)
• Validate block name in blocks editor to ensure no space or other special characters (Mark)
• If errors during block edit, do not reset form, save data from submission so users do not loose data if an error (Mark)
• Do not use username as the name of the user's profile photo, use uid instead, this solves issues with various file systems (Mark)
• All Admin Utilities: User interface improvements & code scrub (Mark H.)
  • Improved/added language strings
  • Reformatted columns, new icons
  • Allow alignment of columns (left/center/right)
  • Extend/reformat 'check all' action col/row (eg. see User Batch Admin)
  • New 'Clear Search' button when search is used
  • Resubmit when select/checkbox/button is clicked
• Block Admin: User interface improvements (Mark H.)
  • Eliminate search/limit/paging options (they didn't work right anyway)
  • New feature: Delete (w/popup confirmation) direction from list
  • Disabled blocks displayed as 'greyed-out'
• User Admin: User interface improvement and code scrub (Mark H.)
  • Closer integration with Group Admin
  • New feature: Group filter/select dropdown (used by Group user list)
  • New feature: Send eMail to User via Mail Utility or local client
  • Batch Admin: User interface improvement, new eMail links, new action row
  • Pref Editor: Reformatted column
• Group Admin: User interface improvement and code scrub (Mark H.)
  • Closer integration with User Admin
  • New feature: Send eMail to Group via Mail Utility or local client
• Mail Utility: User interface improvements (Mark H.)
  • Template tweaked to make better use of vert/horiz space
  • New feature: Can be invoked from any (authenticated) site source
  • New feature: Can be invoked from User or Group admin
  • New feature: User privacy option override conditionally displayed
• Content Syndication: User interface improvement and code scrub (Mark H.)
  • New feature: Delete (w/popup confirmation) directly from list
  • Disabled items displayed as 'greyed-out'
• Moderation (Submissions): User interface improvements (Mark H.)
  • Implementation of new 'check all' action row
• Added missing article_comment_close_enabled configuration setting (Mark)
• Fixed issue when enabling a plugin that no longer exists in the directory tree (Mark)
• Implemented the Portable PHP password hashing framework (Mark)
• Enhanced the advanced search screen (Mark)
• Reworked username standards ” < > $ % & * are not allowed in username (Mark)
• What's New block now uses <ul> class list-new-articles for stories (Mark)
• Modified LDAP class so filter variable is now a configuration option (Mark)
• Modified My Account block to use blockheader-list templates. Removed the hard coded <ul> / </ul> in code. (Mark)
• Added new block option: login_block, admin can now specify custom block template for login block (see theme's functions.php) (Mark)
• New BBCode editor API (Mark)
• New Environment Check option in Command & Control Screen. Removed PHP info link from MG admin screen (Mark)
• New Admin Global User Preference Editor - allows admin to change some preferences for all users (Mark)
• Admin user editor now supports editing all user attributes (Mark)
• Feature to allow groups be applied for all new users (Mark)
• Yet another fix to the ATOM webservices publishing code (Mark)
• Improved error detection on file uploads - ensure proper errors are reported (Mark)
• Fixed namespace conflicts with DokuWiki 2.0 plugin (Mark)
• Complete implementation of PLG_getItemInfo for each bundled plugin. (Mark)
• Implemented reset rating for stories (Mark)
• Implemented site upgrade check/reminder (Mark H.)
• Implemented block-specific styling, eg. block div id=block_name (Mark H.)

Calendar Plugin

• Enforce login required on event view (event.php) (Mark)
• Admin interface improvements & code scrub (Mark H.)
  • New feature: JS date picker for start/end dates
  • New feature: Ability to enable/disable events
  • New feature: Auto-set event end month/day/year/hour/minute to event start
  • New feature: Client-side validation for required fields
  • New feature: Suppress input fields for hr/min/ampm if all day event
• If auto tag is not given event id, return original conten (Mark)
• Add configuration option to select which blocks display (Mark)

CAPTCHA Plugin

• Re-freshed CAPTCHA layouts (Eric and Mark H.)
• Exclude 0,O,1,I,L from dynamic CAPTCHA generation (Mark)
• Link and Calendar submissions did not work with reCAPTCHA (Mark)
• Updated CAPTCHA and reCAPTCHA layouts (Eric)

FileMgmt Plugin

• Add new configuration option 'Silent Edit Default' (Mark)
• Fixed SQL error on file submissions when filemgmt Admin group has been renamed (Mark)
• Creating new categories did not properly set the upload permission (Mark)
• Do not allow users access to the upload form if they do not have permission to upload to any categories. (Mark)
• Add configuration option to select which blocks display (Mark)
• Implemented configuration option to turn on / off ratings (Mark)

Forum Plugin

• Fixed sorting on New Posts (Mark)
• Use admin lists for site member report (Mark)
• Translate <>& in posts when created with WYSIWYG editor (Mark)
• Fixed issue where users would continue to receive new post notification if their permission to view forum was removed (Mark)
• If forum has RSS link, display the RSS subscribe button (Mark)
• Properly clean up attached file to posts that are canceled (Mark)
• Several improvements to the phpBB3 import utility, thanks to wootcat for providing a recent phpBB3 database backup for testing. (Mark)
  • ability to import bbcode signatures
  • ability to purge existing glFusion users prior to import
• Fixed issue where deleting a post did not update last post info for the topic properly (Mark)
• Implemented user option to enable / disable WYSIWYG editor (Mark)
• Implemented merge topic feature (Mark)
• Rewrote the moderation system to be more procedural. This will help with future enhancements to moderation features (Mark)
• Site Members report did not honor Forum Activity checkbox (Mark)
• Implemented per topic options (Disable BBCode, Disable Smilies, Disable URL Parse) (Mark)
  • 3 new Forum configuration options to set the default value for each of the new features
• Implemented automatic URL parsing for topics (Mark)
• Implemented user preference to specify view topic sort order (Mark)

Links Plugin

• Admin interface improvements and partial scrub (Mark H.)
• Add configuration option to select which blocks display (Mark)

Media Gallery Plugin

• Fixed issue where album owners would see the Delete option for media comments, but they could not actually delete the comment (Mark)
• Fixed issue where quota was not always set properly when member album enrollment was enabled (Mark)
• Option to specify centerblock for all topics except the homepage (Mark)
• Added linksrc: parameter to media auto tag to specify which image (tn/disp/orig) should be used in the direct link (Mark)
• Updated FCKeditor Media Browser plugin to support all auto tag options (Mark)
• Fixed error in raw thumbnail preview where it did not work with images other than jpg (Mark)
• Increased the width of the album jumpbox to accommodate more nested albums (Mark)
• Implemented ribbon attribute for audio auto tag, this allows the MP3 ribbon player to be embedded via auto tag. (Mark)
• Updated the MP3 ribbon player to latest version (Mark)
• Enable full screen playback with FlowPlayer by default (Mark)
• Updated Polish translations (Mark)

Polls Plugin

• code scrub and UI improvements, some template tweaks (Mark H.)
• Fixed coding error where permissions were not properly checked (Mark)
• Add configuration option to select which blocks display (Mark)

Site Tailor Plugin

• Added new menu element type: topic (Mark)

Staticpages Plugin

• Option to specify centerblock for all topics except the homepage (Mark)
• Admin interface improvements & code scrub (Mark H.)
  • New feature: Ability to enable/disable staticpages

v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0