After nearly 2 months of testing and development I am happy to announce the release of FUDforum 2.7.3, the new stable version. This is primarily a bug-fix release and all users, especially those of the 2.7 series are encouraged to upgrade to it. The upgrade and installation scripts are available at the urls listed below: Install Script Upgrade Script As far as the changes go, this version is virtually identical to the prior release candidate. The one major addition was the integration of the Indonesian translation that now makes the forum available in a whooping 26 languages, 2 more then in the prior stable release. There were a few minor bug fixes as well, details of which can be found below. Rework emoticon display popup. Decode HTML entities in message subjects. Do not restrict length of error messages. ESMTP compatibility changes in FUD's SMTP wrapper. When using FUDforum's SMTP gateway allow admin to choose the SMTP port on which to connect. Added Indonesian translation. Fixed a bug wi...

I am in release mode this week, first PHP 5.1.0RC3, now FUDforum 2.7.3RC3. Number three seems to work well for me :-). Since FUDforum's RC2 there have been a surprising number of small bug fixes many of the important ones aimed at improving (coughfixingcough) the PostgreSQL support, which now appears to work quite well. So, to ensure that is indeed the case I've decided to make another release candidate. The upgrade and installer scripts can be found at their usual locations, but here are the direct URLs to them anyway :-). Upgrade Script Installer Script [b]Complete Changelog:[/b] Updated Korean and Japanese translations. Fixed ignoring of override on the admin mass-mail control panel. Changed error logging format to be plain-text rather then base64. Allow mass-email control panel to send messages via private messages. Made PostgreSQL duplicate key check locale safe. When sending PM based on a message, use message subject as the pre-set PM subject. Use INCLUDE setting rather t...

Those of you monitoring the PHP development mailing list probably know that I've taken over from Andi as far as PHP 5.1 Release Management. Today I am happy to announce the second (yes, I know its RC3) release candidate of PHP 5.1.0 is out and available for testing. You can grab the source snapshots from here: http://downloads.php.net/ilia/ If you have some spare time in the next week or two, please take a moment to try out 5.1.0 and see if it works with your code/programs. Majority of the test suit passes with this releases, so the only remaining the issue are those waiting to be discovered through "real-life" testing.

To all the people who carelessly claim that Cross Site Scripting (XSS) is not a real security problem here is definitive proof that the threat is quite real. A very creative user of MySpace, Samy created a little self propogating worm via a stored XSS attack. He was able to inject raw HTML into his profile by breaking the normally disallowed "javascript" into components, relying on IE to "combine" it back together. This code snippet then utilized XMLHTTPRequest, usually used for Ajax to execute a request in the background that would cause the viewer to transparently add Samy (author of the trick) to their buddy list. The "worm" component of the hack used the same code to insert the attack HTML sequence into the profiles of comprised users allowing the hack to self propagate. The attack process and why it was possible is explain is fair amount of detail here. It should be noted that while Samy was careful not to cause any lasting damage, a more malicious person could have used the same code to do a w...

I am happy to announce that the SQL Injection chapter from my book, Guide to PHP Security has been published on MySQL's developer zone. You can find this chapter here.