May 18 2008
It’s been almost 3 months since the release of phpFoX 1.6.20 and now there is the 1st significant security patch which affects all 1.5 and 1.6 versions of phpFoX. It works to fix a Moz Binding issue and can be installed by visiting the patch information and download thread (available to registered owners only).
Great support for a great product… as always if you have a license you longer need, I’m always interested in discussing a purchase of it. Please leave your email (never revealed) in a comment and I’ll be in touch.
For those interested in doing the patch, to fix the Moz Binding vulnerability, here are the instructions (thanks Porter for the tip!):
This post outlines the steps required to update your phpFoX 1.5.1 or 1.6.x for this security update.
If you’ve downloaded phpFoX 1.6.x since the time of this post, there is no need to update your installation as the main download has been updated.
It has come to our attention that a security vulnerability is present when using -moz-binding which is used with Mozilla-based applications.
phpFoX Konsort 1.5.1
phpFoX Konsort 1.6.x
Installing the Patch
To install this security patch you can visit our clients area and download the latest release of phpFox and upgrade if you are using v1.5.1. If you are using v1.6.x you can manually apply the patch by…
Opening the file: /include/classes/Text.class.php
$sStr = preg_replace(’/< (.*?)>/ise’, “‘< ‘.\$this->_removeEvilAttributes(’\\1′).’>’”, $sStr);
Under that add:
$sStr = preg_replace(’/-moz-binding/i’, ”, $sStr);
Next open the file: /include/modules/Site/classes/PhpFox_ComponentStyleReplace.class.php
Above that add:
$aItem[’css’] = preg_replace(’/-moz-binding/i’, ”, $aItem[’css’]);
All the above at your own risk yadayada… I strongly recommend getting the Moz Binding download fix from phpFoX directly.