Due to a medium-risk potential information disclosure, it is recommended to update BreezingForms Full and BreezingForms Lite to their latest versions (latest versions are at the time of writing: Build 884 for the full version and Build 912 for the Lite version).

Additionally, it is recommended to check if your hosting disallowed folder indexes (this should be by default). If not, then please add "Options -Indexes" into your website's main .htaccess file.

The updates are coming with a few practical implications:

  • The default upload folder is now forced to have an .htaccess file containing the apache rule "deny from all" (non-apache users should consider to create an equivalent setup or choose an upload folder outside of the webroot).
  • If you use the "Use Web Url" feature to display the http(s) path to the uploaded files, please create a custom upload folder and adjust the path in your form setup accordingly.
  • Exports (PDF, CSV, XML) in the record manager aren't stored on the server no longer, the downloads are performed on-the-fly.
  • Exports (PDF, CSV, XML) for the email notification attachments will kept stored but now using the default upload folder as specified in BreezingForms' main configuration.
  • Existing export backups located in /components/com_breezingforms/exports/ will automatically be removed after the update (please backup these files if you need them before you apply any update).
  • Package exports are also performed on-the-fly only and no files are allowed in the folder /administrator/components/com_breezingforms/packages/ with the exception of the default package (stdlib.english.xml)

Lite users please upgrade here.

Full users please login and download the update.

If you don't have access to your membership no longer, you can contact our support for a patch matching your version OR place an .htaccess file containing "deny from all" into the folders "/components/com_breezingforms/exports/" and "/administrator/components/com_breezingforms/packages/". If you aren't using apache, apply your webserver's equivalent.

Special credits for reporting this issue go directly to Marco Dings from viryagroup.com. Thank you!

 

 

All Extensions Subscription

Get 1 year access to all of our current and future products and 1 year of professional support -- 99 for just 49! (Summer Sale)

No support per domain or website installation limits! Includes all of our current and future Joomla!® extensions, Joomla!® templates for the duration of your membership. This means, by purchasing an All Extensions Subscription you'll have it all covered!

Get it from here

3rd Party Discount - 25% Off

We help you to keep your costs under control. If you are a new member and purchased a form building tool from a different form vendor, then you'll get a 25% discount on our subscription plans.

How to receive the discount:

Send us a quick email to sales@crosstec.org with a proof of purchase (for example a paypal receipt), await payment instructions and enjoy your membership!

Live Support Chat Opened!

Join our Discord chat here to receive live support and talk directly to the team!

Community Reward

Help us to create new extensions and plugins! With only $5 you help us a lot and get unlimited download access to all of our products, professional support and even more. Get your reward now!

Read More Here