The team at glFusion.org is pleased to announce that glFusion v1.1.3 is now available for download! This release contains some critical security fixes along with several minor bug fixes.
- SQL Injection issue which could allow an attacker to compromise (gain access) any user's password hash. This was a very serious vulnerability which could allow your admin user account to become compromised.
- User Masquerading which could allow an attacker to log in as any user if they knew the password hash of the user. By setting the appropriate cookie on their own browser, you could bypass the user name / password screen and log in directly. Combined with the SQL Injection issue above, this would allow an attacker to easily log in as any user.
- Cross Site Scripting (XSS) Issue which could allow an attacker to use a glFusion site in cross site scripting attacks.
All of these issues have been fixed in glFusion v1.1.3 and some additional checks have been included to help prevent future issues like these.
The security of your web site is very important to us. If a vulnerability is found, we try to fix it immediately. The challenge is informing our users of the risk and the fix. We now offer the glFusion Announce Mailing List that you can subscribe to. We will post all known issues and security issues to this list. We also offer a Known Issues / Security Updates RSS feed you can subscribe to as well. We recommend that you subscribe to at least one of these items.
Ability to turn on / off template caching
Caching of the template files generally provides a significant performance boost, but we have found in some environments it can actually have a negative impact on performance. Specifically, on sites where the disk access is slower, caching of the templates will slow down the site and add to the server load. A good is example is Windows based servers that use network shares to store the web directories.
You now have the ability to control whether or not the templates are cached. In the Online Configuration system, under Themes, is the new option Enable Template Caching. We recommend you do your own tests, disable caching and see how it affects the performance of your site.
If you have a custom htmlheader.thtml file, you must update it to be compatible with this change. See the Template Changes section of the documentation wiki for details.
If you are running the Chameleon Theme, you'll see to update to which is compatible with this change.
For a full list of changes, please see the What's New Wiki Page.