glFusion v1.1.3 Released


The team at glFusion.org is pleased to announce that glFusion v1.1.3 is now available for download! This release contains some critical security fixes along with several minor bug fixes.

glFusion v113There are three security updates included with this release to address the following issues:

  • SQL Injection issue which could allow an attacker to compromise (gain access) any user's password hash. This was a very serious vulnerability which could allow your admin user account to become compromised.
  • User Masquerading which could allow an attacker to log in as any user if they knew the password hash of the user. By setting the appropriate cookie on their own browser, you could bypass the user name / password screen and log in directly. Combined with the SQL Injection issue above, this would allow an attacker to easily log in as any user.
  • Cross Site Scripting (XSS) Issue which could allow an attacker to use a glFusion site in cross site scripting attacks.

All of these issues have been fixed in glFusion v1.1.3 and some additional checks have been included to help prevent future issues like these.

               
 
                   

Security Notification

glFusion Updates RSS FeedThe security of your web site is very important to us. If a vulnerability is found, we try to fix it immediately. The challenge is informing our users of the risk and the fix. We now offer the glFusion Announce Mailing List that you can subscribe to. We will post all known issues and security issues to this list. We also offer a Known Issues / Security Updates RSS feed you can subscribe to as well. We recommend that you subscribe to at least one of these items.

 

Ability to turn on / off template caching

Template Cache Config SwitchTemplate Cache SwitchCaching of the template files generally provides a significant performance boost, but we have found in some environments it can actually have a negative impact on performance. Specifically, on sites where the disk access is slower, caching of the templates will slow down the site and add to the server load. A good is example is Windows based servers that use network shares to store the web directories.

You now have the ability to control whether or not the templates are cached. In the Online Configuration system, under Themes, is the new option Enable Template Caching. We recommend you do your own tests, disable caching and see how it affects the performance of your site.

 

Improved CSS and JavaScript Output

glFusion v1.1.1 added a new feature to consolidate all CSS and JavaScript output into a single call for the browser. This significantly improved the page load times. Now that this feature has been well exercised, we've also discovered it can add some extra CPU load to the server. We've redesigned how the CSS and JavaScript is spooled so we now have the best of both worlds, improved page load times and no additional server load.

If you have a custom htmlheader.thtml file, you must update it to be compatible with this change. See the Template Changes section of the documentation wiki for details.

If you are running the Chameleon Theme, you'll see to update to which is compatible with this change.

For a full list of changes, please see the What's New Wiki Page.


by Mark

Mark is the main developer on glFusion. When not doing his real job and playing with his family, he really enjoys working on glFusion and the collaboration with the glFusion community.

Share It!