68KB V1.0.0 RC5 is now released and available for download here. This is a security release and ALL users should upgrade. This fixes a remote file injection in the themes/admin/default/modules/show.php file. If at the very least replace that file. All users should upgrade as soon as possible.

68KB V1.0.0 RC4 is now released and available for download here. This is a security release and ALL users should upgrade. We have had several security vulnerabilities reported over the past week and this release fixes them all. The fixes include:

• CSRF Attack
• Remote file include
• Search SQL Injection

All users should upgrade as soon as possible.

This is a note to let everyone know v1.0.0 rc3 is now released. This release has no new features but does include a fix to a security vulnerability reported by “Jelmer de Hen” with the searching. So you SHOULD upgrade and at the very least replace includes/application/controllers/search.php. Here is the direct link to the download page: http://68kb.com/download/.

Other News

Development has slowed down a lot lately mainly because I have had a second child and haven’t had much time to devote but we have some big plans for 68KB this year.

As many CodeIgniter users probably already know v2.0 of the framework is currently in beta so we will be migrating all the code over to it. We will probably skip a fully stable v1 release and instead start working v2 because of the framework upgrade. The new code is moving from Google hosting over to github. You can follow the progress here: http://github.com/68designs/68KB

We will keep the google code up until the first official release of v2. Keep in mind we have no date in mind when that will be ready and we will be posting any news here on the blog.

Thanks again for everyone that is using 68KB and sorry for the two vulnerability reports in the same day. I do want to personally thank Jelmer de Hen for emailing me about this exploit. The other one I just happened to run across

It has been reported that v1.0.0 rc2 has a remote file include vulnerability. The file in question is themes/front/default/modules/show.php.

This is only a vulnerability if your server has registered globals turned on. The easiest way to fix this is to turn OFF registered globals.

If for some reason your host has globals turned on you can create a .htaccess with this code in your sites root:

php_flag register_globals off

or if you have access to php.ini:

register_globals = off

68KB RC2 is now released and ready for download. This release fixes all the bugs reported to date and also fixes the critical install error bug.