Version 3.6.0 - 02/21/2024 * Add client variable cookie block to RemoteExecutionFilter - a lucee specific issue. Version 3.5.0 - 08/17/2023 * Improve Shell Execution Filter, RemoteExecutionFilter, SQL Injection Filter, XSS Filter * You can now pass an ip_address to the fuseguard() function when using FuseGuardApplication Version 3.4.0 - 12/15/2021 * Security: Mitigation: escape $ as __DOLLAR_SIGN__ in CFLogLogger * Added: Log4Shell Filter - you will need to add the filter to your config to enable it. * Added: Setting setIgnoreRequestBodyOnSOAPRequests to prevent getHttpRequestData calls from breaking SOAP requests. Not enabled by default. * Fix: FileUploadContentFilter adjusted upload detection trigger for lucee * Fix: Trial Mode Banner Version 3.3.1 - 07/21/2021 * Security: Updated JavaScript Libraries in FuseGuard Manager (bootstrap, d3). Version 3.3.0 - 04/23/2021 * Fixes for PostgreSQL support * Allow user agents wrapped with single quotes in UA filter * Reduce false positives in ShellExecutionFilter * Incorrectly logged as blocked when Log Only Mode was enabled. * ACF 2021 Compatibility Fix in DBAuthenticator for ColdFusion Bug CF-4211084 * Update JavaScript Libraries in FuseGuard Manager Version 3.2.0 - 10/31/2019 * Added support for Oracle Databases * Added Pagination to IP List Table View in FuseGuard Manager * Added setAllowNullOrigin setting to ForeignPostFilter * Fixed missing request_id column in Derby and PostgreSQL db creation script * Workaround in FG Manager for CF2018u5, CF2016u12 bug CF-4205250 Version 3.1.3 - 04/24/2019 * Added removeFilterAt * Fix issue when filtering by host name in FuseGuard manager. * Improvements to reduce false positives and increase protection in CrossSiteScriptingFilter * Improvements to reduce false positives in ShellExecutionFilter Version 3.1.2 - 02/05/2019 * Fixed issue in FuseGuard Manager where the CSRF token was sometimes not defined causing an error when working with IP address lists. * Improvements to FileUploadContentFilter to reduce false positives Version 3.1.1 - 10/12/18 * Fixed issue in RepeatOffenderFilter when a whitelist is also enabled. Version 3.1.0 - 9/27/18 * Improved detection for PHP in FileUploadContentFilter * Improvements to detection in XSS Filter * Base Authenticator will use SHA-512 if PBKDF function is supported by CF engine, but jvm does not have algorithms implemented. * Improvements to detection in SQL Injection Filter * Performance Improvements in SQL Injection Filter and XSS Filter * Fixed a 0xHEX false positive in SQL Injection Filter * Fix false positive on cf411 in url in ShellExecutionFilter * Fixed false positive with .sh in email in ShellExecutionFilter * In some environments X-Forwarded-For may contain a source port * In some environments X-Forwarded-For may contain multiple comma delimited ips, only the first is used as the source IP. * Fix typos in ShellExecutionFilter and RemoteExecutionFilter * Support for this.searchImplicitScopes=false * Added core setting setIgnoreRequestBodyOnMultipartRequests * Added include block filter Version 3.0.7 - 12/14/2017 * Fix issue in GeoFilter if no IP list is selected Version 3.0.6 - 12/13/2017 * DB Change for fuseguard_ip - if you have installed version 3.0.0 - 3.0.5 please run sql/migrate-3.0.0-to-3.0.6.cfm * Fixes in GeoFilter * IPv6 DB Changes Version 3.0.5 - 12/05/2017 * SQL Server Azure Fix * Added Script Example Application.cfc Version 3.0.4 - 12/01/2017 * SQL Server DB Script Changes * Reduce False Positives in ShellExecutionFilter * Default Config for DBConfigurator is now in Log Only Mode and Fail Open Mode Version 3.0.3 - 11/30/2017 * Compatibility Fix CFMailDigestLogger, IPBlackList, IPWhiteList Filters Version 3.0.2 - 11/29/2017 * Fix HoneyPotFilter * Fix DB Scripts Version 3.0.1 - 11/21/2017 * FuseGuard Manager: button to add IP to list was missing when list empty. Version 3.0.0 - 11/13/2017 * FuseGuard Manager * Edit Configuration of FuseGuard, Filters Loggers * IP List Manager * Use SameSite Strict cookie * Filters * 11 new Filters! * Updates and Improvements to all existing filters. * New Filter: FileUploadContentFilter - inspects file upload contents for executable CFML, this filter is experimental. * New Filter: GeoFilter - uses IP country data to whitelist or blacklist IP by country. * New Filter: HoneyPotFilter - Uses project honeypot data to block malicious IP addresses. * New Filter: IPBlackListFilter - easily black list IPs using the IP List managers * New Filter: IPWhiteListFilter - create IP whitelists easily. * New Filter: RemoteExecutionFilter - looks for patterns used to exploit remote code execution vulnerabilities. * New Filter: RemoteMethodFilter - block remote CFC method calls or SOAP requests. * New Filter: ShellExecutionFilter - looks for common shell execution patterns and paths. * New Filter: UserAgentFilter - looks for malicious or malformed user agents. * New Filter: XMLEntityInjectionFilter - looks for xml entity injection patterns. * New Filter: XMLExternalDTDFilter - looks for xml external DTD patterns. * Loggers * New CFMailDigestLogger - sends logs in batches over a duration of time Version 2.5 11/25/2015 * Added Lucee / Railo support to FileUploadFilter * Internal improvements to CrossSiteScriptingFilter and SQLInjectionFilter * FuseGuard Manager: Add filter_name to tabular log view * Added option to ContentLengthFilter for require on POST and added it to default configurator. * Fix bug in setMinimumPasswordLength and setHashAlgorithm in BaseAuthenticator Version 2.4 10/31/2013 * Performance Boosts * Added option to ignore empty values in DictionaryAttackFilter * Added support for ignoreVariable in DictionaryAttackFilter * Added URL Builder for Framework Support of FuseGuard Manager * Added request.fuseguard_log_id to DBLogger with id of inserted log row * Compatibility update for OpenBD support * Fix for setAllowedDomains in ForeignPostFilter * Fix for setDeniedFileExtensions in FileUploadFilter * Fix for setIgnorePrefixList in ScopeInjectionFilter * Fix for ScopeInjectionFilter when setStrictMode(true) it would block url.sessions.something instead of just url.session.something * Added getDefaultBlockHTML function to firewall.cfc and argument outputBlockHTML on processRequest to allow for more customization. Version 2.3 2/27/2013 * Fixed minor false positive bug in SQLInjectionFilter * Added UTF7 bom detection in query string * Added setAllowEmpty to IDValidationFilter (defaults to true) * Added special case for jsessionid in IDValidationFilter because CF10/tomcat adds .instanceName to end of value * CrossSiteScriptingFilter now more strict in non-form scopes * IDValidationFilter adds setNumericAllowed and defaults to true * ScopeInjectionFilter adds setIgnorePrefixList to allow it to ignore certain prefixes. * Minor display fixes for FuseGuard Manager * Updated FuseGuard Manager to use Bootstrap * Implemented Content-Security-Policy headers for FuseGuard Manager * Added builtin support for X-Forwarded-For headers, must be turned on with firewall.setUseXForwardedFor(true) in configurator * Fix Railo issue with dots in variable names because they are converted into structs * Added the FuseGuardApplication component to simply deployment in Application.cfc * Added pagination to tabular log view Version 2.2 9/7/2011 * Added Null Byte Filter * Added Fail Open / Fail Closed * Fixes and Enhancements to SQLInjectionFilter and XSS Filter * Added reinit key * Add JVM DOS Filter * Added setIPWhiteList to RepeatOffenderFilter * Minor Bug Fixes to FuseGuard Manager * Added ScopeInjectionFilter Version 2.1 4/9/2010 * Additional fixes for SQL Server * Updated footer copyright year in manager * Added allowIntegerLists to IDValidationFilter Version 2.0.1 3/25/2010 * Updated DBLogReader for SQL Server * Corrected IP Address pie chart issue. Version 2.0 Released on 11/12/2009 * Added Authenticators * Added DBLogReader * Added FileUploadFilter * Added Web Manager GUI Update 1.01 Released on 4/6/2009 * Changed type of ignoresVariable(varname) from variablename to string * Fixed a Problem with Trial Code * Updated install.txt Version 1.0 Released on 3/26/2009