Security release JFusion 1.5.5

[mariusvr]

Hello JFusion Fans,<

It was brought to our attention yesterday that jfusion could have a vulnerability after a helpful jfusion user noticed a failed attack in their server logs. We take security extremely serious at JFusion and within 24 hours of being notified this vulnerability is fixed in JFusion. Many thanks to the people on three different continents that have worked around the clock for this fix.

Only people that run "frameless integration" using the phpbb3, smf, dokuwiki and gallery2 are affected if their apache webserver allows for execution commands frequently used by hackers, this then allowed a hacker to expose other vulnerable software on your server. The issue was with regex replace command used for frameless mode, that allowed evaluations of expressions inserted into URLs on some pages. JFusion now no longer uses this type of regex expression in our code base.

We strongly recommend that you upgrade to JFusion 1.5.5 immediately to prevent hackers using JFusion to find other vulnerabilities on only some servers with frameless mode enabled. We sincerely apologise for any inconvenience. Our commitment to security is strong, as we fix any issue within 24 hours

You can update your jfusion installation with a single click through the jfusion version checker, or you can manually download JFusion 1.5.5 from our download section on our website

We are nearing the release of JFusion 1.6 beta after our first alpha release. Many thanks to all the people that help test JFusion on the new Joomla 1.6.0. Almost all outstanding issues have been fixed and we will announce when JFusion 1.6 is ready for beta testing

Thank you for your support, Marius

[Peter_AUS]

Need to change it on the front page on the right for the download link.

Thanks for the email out, not sure if it affected me or not, but updated anyway.

[fanno]

it is actually 1.5.5, the image have just not been updated yet!

[Peter_AUS]

Thanks, just thought people might get a bit confused with the different indicators for latest release.

[fanno]

Thanks, just thought people might get a bit confused with the different indicators for latest release.

i understand i just don't have time to update the pic

[Peter_AUS]

It has been updated.

[fanno]

It has been updated.

ya i know =P but i change it so it is no longer a image with version number in it.. now it is a blank image with text floating over it.

saves us time

[Webcie]

Any update on the 1.6 progress? 14 februari is long ago and I haven't found any news on the progress of it.

[zaminur143]

We strongly recommend that you upgrade to JFusion 1.5.5 immediately to prevent hackers using JFusion to find other vulnerabilities on only some servers with frameless mode enabled. We sincerely apologise for any inconvenience. Our commitment to security is strong, as we fix any issue within 24 hours

We are nearing the release of JFusion 1.6 beta after our first alpha release. Many thanks to all the people that help test JFusion on the new Joomla 1.6.0. Almost all outstanding issues have been fixed and we will announce when JFusion 1.6 is ready for beta testing

Thanks Marius, I would have to upgrade 1.5.5 immediately. Happy to get your suggestion. I am wondering about JFusion 1.6. Is it more reliable?

[fanno]

We strongly recommend that you upgrade to JFusion 1.5.5 immediately to prevent hackers using JFusion to find other vulnerabilities on only some servers with frameless mode enabled. We sincerely apologise for any inconvenience. Our commitment to security is strong, as we fix any issue within 24 hours

We are nearing the release of JFusion 1.6 beta after our first alpha release. Many thanks to all the people that help test JFusion on the new Joomla 1.6.0. Almost all outstanding issues have been fixed and we will announce when JFusion 1.6 is ready for beta testing

Thanks Marius, I would have to upgrade 1.5.5 immediately. Happy to get your suggestion. I am wondering about JFusion 1.6. Is it more reliable?

lf 1.6 is getting there but it is not 100% ready yet