Yes, here's yet another release.

We have tightened up some of the security relates stuff from the last release and fixed some bugs that crept into it.
Most notably an issue with not being able to save extended user field data.

I also change a few things in the file inspector to make that a bit more useful, thanks to Lawbringer for that.

Here for changes:

Here for your files:

Note: For anyone who was really quick off the mark, there was a hitch with generating the first set of release files. If you downloaded later than 2235 UTC on 4th February, the files should be good - you can check by opening file e107_admin/ver.php in a text editor, and it should mention 0.7.18 (in some of the releases, the file wasn't there at all).

We all already know what happened to e107.org just because we patched it few ours after the official release of 0.7.17. I'm trying to stay positive - we learned an important lesson, I hope e107 community did the same - a good example of what could happen if you don't apply critical security patch quick enough.

I also spotted first symptoms of panic. They were additionally fed by all kind of security organizations and blog posts, made before we were able to make any kind of statement, because we were busy to fix all current problems and investigate for any additional security vulnerabilities of e107 core (I'm glad the problem came from issue we were already fixed) I'm not angry about this - I know this is the only way of more traffic and popularity (let's call it marketing).

In other hand, I understand the worries of the people using e107 - especially those with less Development/Administration knowledge.

That's why I wrote a small tool and called it (don't ask me why) eCheck Security. I'm not gonna explain what it does here, because I did it already in my eCheck Security PHP tool - find malware on your site Blog post.
I hope this tool will make lot of people feel much more peaceful - at least this was my intention while I wrote it

Cheers

OK, here's what I know happened and what's been done:

* e107.org was hacked using the exact exploit we patched in .17, it looks like we waited too long to fix e107.org. I have spent the past day attempting to clean everything up and am relatively confident I've cleaned it up, but you never know. If hacks persist, we'll have to resort to more drastic measures.

* Yes, there was a zip file that was backdoored. This file was NOT the officially released zip file and the source code was not compromised. While the hackers had access to our server, they uploaded their own version of the full zip file and re-pointed the download link to this corrupt file. It was only the full install .zip file. If you upgraded your version of e107 using files from the full install .zip file, please download the one that is available from sourceforge and re-upgrade.

* The current version (0.7.17) is safe (as far as I know) from further attacks in this same manner, there will be a .18 release someday, but there are no immediate plans for it's release.

* Yes .17 has a new favicon, this was a mistaken commit by one of the devs and the current .17 package files have this file restored.

* When downloading e107 release files, please ensure they are coming from sourceforge, we only release files from there. We have, in the past, provided specific patch files from e107.org locally, but this will stop. If you get a file from somewhere other than sourceforge, don't trust it.

If anyone sees anything odd with their sites or with e107.org, or just has specific question, please do not hesitate to contact me personally. Please be patient, I will attempt to answer anything I receive.

We were recently informed of a very nasty exploit that, as far as we can see, affects almost all e107 0.7 releases. Everyone running e107 needs to get their sites updated as soon as possible. If you are a site owner and you are unable to upgrade for some reason (too much hacked core code), please contact me directly and I can help you with a quick-fix.

Please get the word out to all other e107ers. If you find an e107 site out there, post on their site somewhere about this upgrade.

We have also included an automatic update check in this release. It was in previous ones, but was based of sourceforge's rss feed, which they apparently don't want to fix. The new code will now check a file on e107.org, which will always contain the most recent e107 release information. If there is an update available, you should see a notice on your main admin screen. Depending on your admin theme, it may also appear in the left column of all admin pages.

As always, please ensure you perform a full db and site backup before performing the upgrade. Please inform us if you have any problems with this new release.

For a list of the fixes, you can see them here:

Link to updates:

The authors of the sql interface section of PHP5.3 haven't been having a good time! There's a second database-related bug, which affects the admin user list and the admin download list (and some upgrade bits). Likely symptoms include Apache crashing, or blank pages if you try to view these functions.

If you're running PHP 5.3.0, download this file, and overwrite the corresponding files in your 0.7.16 installation. (Don't envisage any need to use the latest updates from CVS, but if you have problems, please report them)

This download also includes the installer, which needed update to work round a different bug.

The blog site at http://blogs.e107.org/news.php has been quite dead recently as we concentrate on development of v0.8 or, worse, real life interferes.

In a small attempt to address this issue we're going to try out eAdvent. Not a new plugin or core code, just a post a day starting from tomorrow. Don't expect long in depth blogs, but hopefully will give you some interesting snippets of information about v0.8.