I've released 1.0.4 because of the security problem I posted about a little more than a week ago. It was found by Clancy Malcolm of Cybersource. For more info about them, checkout the Web site: <http://www.cyber.com.au/>. The fix was relatively simple, and it involved adding a few lines to modules/include/init. It was also pretty easy to exploit the bug, which allowed you to act as if you had admin permissions. The explanation for why, however, is somewhat complex. It hinges on how PHP allows you to treat a string like an array. Anyway, the bug seems to be squashed in 1.0.4. Anyone who hasn't fixed it in their own sites, you may be able to simply replace modules/include/init with the one from the newest version. If not, you can splice in these three lines: unset($UserInfo); unset($Session_User); unset($ActiveInvoice); into the two places they go. You'll have to compare your file to the archive in this case to find the exact position. --- Leon Atkinson <http://www.leonatkinson.com/> ------------------------------------------------------------ To subscribe: [EMAIL PROTECTED] To unsubscribe: [EMAIL PROTECTED] Site: http://www.working-dogs.com/freetrade/ Problems?: [EMAIL PROTECTED]
