Yesterday, PHP-Fusion announced that someone had hacked into their site and changed the download link for PHP-Fusion Version 7.

Hello all,

We had an issue a few days ago where a malicious person gained
access to our site as a super administrator via a weak account/gained
password. They apparently changed the download link of PHP-Fusion
version 7 to spendspace and it was packaged as a .rar file.

If you downloaded one of these files, please reinstall your entire site using a fresh copy from SourceForge.

While this isn't a good thing, it is a positive that PHP-Fusion disclosed the possibility that the link led to a version of PHP-Fusion that may have been maliciously changed.  I can recall a number of other projects (open source and propriety) that have found their source code made vulnerable by someone intruding into their servers.  What is always important to customers in these cases is disclosure and transparency.  So far, PHP-Fusion seems to be doing the right thing.

However, as of this Thursday morning...it looks like PHP-Fusion's hosting company has suspended their account. At the time of this writing, there is no words given as to the reasons for the suspension.  I suspect the suspension is likely to be security related.  Perhaps, we'll see an announcement at SourceForge on the status of PHP-Fusion if their home site doesn't come back online soon.

A couple months ago, Technorati announced that users of Wordpress needed to upgrade to the latest available version (now at Version 2.5). This week, Technorati announced that blogs remaining vulnerable to identified security exploits may no longer be indexed by their service.

Because of this ongoing problem, we're discontinuing processing crawls of blogs that exhibit common symptoms of being compromised. We strongly recommend upgrading your WordPress installation. Even if you haven't been afflicted by a compromise, by the time you are aware that you have been a number of negative consequences may have already occurred (for instance, flagged spam by Technorati, Google or Yahoo!) -- this has been reported by many WordPress users.

By not upgrading your software, the search engine services may block your site from being listed. I can't think of a greater incentive to update your content management software to the latest version than the threat of being delisted. This is a bold move by Technorati. I'm personally glad Technorati is taking a stand against sites hosting older versions of Wordpress with the known security holes. In my opinion, there really isn't a good reason you shouldn't be upgrading your Wordpress site to the latest version.

Serendipty 1.3 has been released. This new version of the blogging applications introduces 41 changes. Not only are enhancements and additional features introduced, but also changes to address a nasty cross site scripting issue (security exploit).

Some of the more significant features and enhancements for Serenditpity 1.3 include:

• The karma rating plugin has been upgraded to support nice, CSS-based rating graphics (see this post) and an overall rehaul on the its coding.
• Make the Spartacus plugin be able to use FTP upload, a workaround for SafeMode PHP restrictions. Also add a remote backend for plugin update checks.
• Import scripts for phpNuke and lifetype.

Updated versions of MediaWiki to address some security issues has been released for MediaWiki 1.11.1, 1.10.3, and 1.9.5.

This is a security and bugfix release of the Fall, Spring, and Winter 2007 snapshot releases of MediaWiki. A potential XSS injection vector affecting api.php only for Microsoft Internet Explorer users has been closed.

To work around the vulnerability without upgrading, you may disable the API if you don't need it:

~ $wgEnableAPI = false;

Complete Story

Yes, Wordpress and XOOPS are two completely separate projects, but they do have at least one thing in common. Both Web applications were updated this past week to adddress known security vulnerabilties.

This is why I'm very cautious in using any type of search engine toolbar (Google, Yahoo, etc).

Google is working to fix a bug in the Google Toolbar that could allow criminals to steal data or install malicious software
on a system, a security researcher warned Tuesday.

The flaw lies in the mechanism Google Toolbar
uses to add new buttons on the browser. Because the toolbar does not
perform adequate checks when new buttons are being installed, a hacker
could make his button appear as though it was being downloaded from a
legitimate site when in fact it came from somewhere else.

More information can be found at InfoWorld.

Wordpress 2.2.3 has been released as a security and bug fixer. Check Wordpress.org for details.

Nucleus version 3.24 has been released:

This release fixes a recently discovered cross site scripting issue. While there are no new features in this release, upgrading is recommended when your Nucleus installation has the "Allow Visitors to Create a Member Account" option enabled.

Click here for the original post at nucleuscms.org as well as download links.

By the way, thanks to the folks at Nucleus for recommending users to upgrade to the new version and not saying that it is a required or mandatory upgrade. I don't know why that gets my goat, but the rebel geek inside of me always resists doing what others think I should be required to do.