ATTENTION! Cases of cracking PerfectMoney merchant became more frequent by
trial and error method "Alternative code phrase". If it is "simple", then malefactor will
evaluate it and "sign" for it fake transaction. Script will put stated sum on malefactor's
balance. Create code phrases no shorter than 16 SyMBolS/numbers length.
One curious tester (thanks for that) found vulnerability: If you send a message with
special js-script to a user (or admin), then it will be executed on opening this message.
1. Vulnerability worked only when message was opened from Profile. 2. Malefactor
could receive user's cookies, and if user hasn't set IP-binding, then malefactor could
access user's profile(and in admin case - Control panel). To fix vulnerability update
file ..module/message/show.php . If you have disabled "Personal messages" (or
activated "only support" mode), then you are on safe ground.
On popular request: now you can reply to letters from support form from your mail.
Custom variable update in database "Was on site" now not oftener than once in a
minute (deloading database server).
API address updated for MeraPay. Small defects fixed (non-critical).
Install changed for new MySQL version. Small irritating defects fixed. As clients
requested, we've added some "improvements".
Memo change in operations with payment providers systems now works. Added
code for review output to the left panel. Now you can set the default time zone. User's
ban annulations from admin panel during brute-force added. Now batch-number,
entered manually, is more important than passwords from API. And some other minor