One curious tester (thanks for that) found vulnerability: If you send a message with
special js-script to a user (or admin), then it will be executed on opening this message.
1. Vulnerability worked only when message was opened from Profile. 2. Malefactor
could receive user's cookies, and if user hasn't set IP-binding, then malefactor could
access user's profile(and in admin case - Control panel). To fix vulnerability update
file ..module/message/show.php . If you have disabled "Personal messages" (or
activated "only support" mode), then you are on safe ground.
On popular request: now you can reply to letters from support form from your mail.
Custom variable update in database "Was on site" now not oftener than once in a
minute (deloading database server).
API address updated for MeraPay. Small defects fixed (non-critical).
Install changed for new MySQL version. Small irritating defects fixed. As clients
requested, we've added some "improvements".
Memo change in operations with payment providers systems now works. Added
code for review output to the left panel. Now you can set the default time zone. User's
ban annulations from admin panel during brute-force added. Now batch-number,
entered manually, is more important than passwords from API. And some other minor
Fixed Text error receiving from LibertyReserve. Statistics updates every minute now.
Added plan choice on deposit.
Configurator changed. There was an error during installation on some hostings. Limit
for "instant" added. Now withdrawal "up to a limit" - instant, after limit - manually.