A cross-site scripting vulnerability has been identified and fixed in the FacileForms 1.4.7 Security Release. The vulnerability required either PHP's register globals to be enabled,  or the RG_EMULATION setting of Joomla/Mambo to on (1) which is unfortunately the default in current joomla and mambo installations. If both register globals as well as RG_EMULATION are off, the exploit was not possible.

It is advised to upgrade to 1.4.7 ASAP, and for your own safety also turn off register globals and RG_EMULATION. FacileForms 1.4.7 is available now in the download section on http://www.facileforms.biz, and there is a patch available for 1.4.6g as well.

I have a client site that is still on Mambo using FacileForms v. 1.3.1. Does this also apply to Mambo installs? And if so, how do I upgrade? I went to the downloads area, but did not see any patches or instructions for upgrading.

Thanks!

Upgrades are absolutely straight forward and painless, from any previous version of facileforms.

Read the details here.

Thanks for that link! Sounds like it should be easy enough.

Is this new version what I should be using with this old Mambo install? I checked the MamboXchange (or whatever it is called) and it is still listing the same version I have installed as the latest, so I just want to be sure.

Thanks so much for this component!

All FacileForms versions work on any mambo version from 4.5.1a up and any joomla from 1.0.0 up.

However unless you are a security guru who has manually patched that old mambo version agains all known vulnerabilities, I highly recommend to also upgrade it to the latest stable version. And dont forget to check any other 3rd party add-ons for security too; there is a very helpful sticky thead in this forum to check.

When I try to install the 1.4.7 patch for the 1.4.6g, I get the following errors.

Upload component - Upload Failed 
ERROR: Could not find an XML setup file in the package. 
[ Continue ... ] 
Upload component - Failed 
Installation file not found:
/home/testweb/www/media/install_4521e86a5e403/ 
[ Continue ... ] 

I have tried this on 3 separate Joomla sites with 1.4.6g currently installed and get the same error for each site. 

I am using Joomla 1.0.11.  register_globals is disabled.  RG emulation is set to 0.

Thanks for any help you can provide. 

[UPDATE] I have solved the problem by un-installing 1.4.6g and installing the complete version of 1.4.7. 

The patch for 1.4.6g is only one file (facileforms.php) in the zip file that you need to upload with ftp, cpanel filemanager or joomlaXplorer into the directory /components/com_facileforms, replacing the old file. It cannot be installed with the joomla component installer.

If you cant handle this, you should instead uninstall 1.4.6g old version and install 1.4.7 which can both be done by the joomla component installer.

I use FacileForms on my site and notice all records are stored within facile forms. How do I access the following - e.g. a supplier fills in one form and a customer fills in another - the customer ticks a box which selects 10 suppliers who are listed within a selected category. Now I want the submit button to retrieve the 10 supplier email addresses and send the customer's form to each of the suppliers.
Simple enough, as every site I look at does this. How do I get the customer form to query the database and retrieve the results, as all this querying is being handled inside facile forms and not in joomla core?