Beta 4c Security Patch Is Now Available!
29 July 2009
While there have been no reports of security breaches in Fusion Ticket it is our full intention to stay ahead of the power curve. As a result we scour the net looking for new threats and potential future threats.
Reports from developers of other programs indicate two major threats are Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). Rather than wait for them to spread we have developed a patch to circumvent them.
Fixes are always included in future, full release versions, at no charge. However, if you can not wait they are available as patches.
Patches, similar to the Beta 4c security patch, are free to members with Contributor status and will be made available to the general public, through email, after a donation of $12.50 or more.
Change log for the beta4c security patch:
-----------------------------------------
The changes are in the php scripts
- fixed the transaction handling in the ShopDB.php file
- fixed a pdf format show problem in the order handling page.
- removed error_reporting(E_ALL); from the root php scripts.
- fixed the barcode search in the admin section.
- resolved some big security issues in the webshop section.
- added the order date to be viewed in the email/pdf templates.
- removed some unneeded shopdb::affected_rows() method call properties
- added a token for to use with the form - post actions.
- added the event_date, ort_name and ort_city to the invoice pdf
- fixed some issues in the install.php and db_install.php files.
- fixed some of the main sql-escape issues.
- added a separated script that shows a list of orphan records.
- some other small bug fixes.
The changes in the webshop templates
- Almost all form tags are now POST methods.
- each form has its own form token to secure your data.
- changed all call's to shop.php back to index.php. (shop.php is deprecated)
- all shown values that can be filled by your website visitors are now always cleaned of html and will be escaped for unwanted characters.