Important Moz Binding Security Patch for phpFoX 1.5.x and 1.6.x

It’s been almost 3 months since the release of phpFoX 1.6.20 and now there is the 1st significant security patch which affects all 1.5 and 1.6 versions of phpFoX. It works to fix a Moz Binding issue and can be installed by visiting the patch information and download thread (available to registered owners only).

Great support for a great product… as always if you have a license you longer need, I’m always interested in discussing a purchase of it. Please leave your email (never revealed) in a comment and I’ll be in touch.

For those interested in doing the patch, to fix the Moz Binding vulnerability, here are the instructions (thanks Porter for the tip!):

 

This post outlines the steps required to update your phpFoX 1.5.1 or 1.6.x for this security update.

If you’ve downloaded phpFoX 1.6.x since the time of this post, there is no need to update your installation as the main download has been updated.

Overview
It has come to our attention that a security vulnerability is present when using -moz-binding which is used with Mozilla-based applications.

Affected Files
/include/classes/Text.class.php
/include/modules/Site/classes/PhpFox_ComponentStyleReplace.class.php

Affected Versions
phpFoX Konsort 1.5.1
phpFoX Konsort 1.6.x

Installing the Patch
To install this security patch you can visit our clients area and download the latest release of phpFox and upgrade if you are using v1.5.1. If you are using v1.6.x you can manually apply the patch by…

Opening the file: /include/classes/Text.class.php

Look for:

PHP Code:
$sStr = preg_replace(’/< (.*?)>/ise’, “‘< ‘.\$this->_removeEvilAttributes(’\\1′).’>’”, $sStr);

Under that add:

PHP Code:
$sStr = preg_replace(’/-moz-binding/i’, ”, $sStr);

Next open the file: /include/modules/Site/classes/PhpFox_ComponentStyleReplace.class.php

PHP Code:
$this->oTpl->assignSrc(’aStyleReplace’, $aStyleReplace);

Above that add:

PHP Code:
$aItem[’css’] = preg_replace(’/-moz-binding/i’, ”, $aItem[’css’]);

All the above at your own risk yadayada… I strongly recommend getting the Moz Binding download fix from phpFoX directly.