HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Security Update: Vanilla 2.0.18.8

ToddTodd Vanilla Staff
edited April 2013 in Releases

Even though Vanilla 2.1 is just around the corner we are still supporting 2.0.18.* installations. To this end we've released an important security update that should be applied immediately to anyone running 2.0.18.*. The new version can be found here.

If you don't wan't to overwrite every single file then the one file that needs to be changed is here (raw download here).

This is an important security update so please update your installation.

Changes

  • 2013-04-05 Check for FilterForm() before calling it.
  • 2013-04-04 Disable the ability to call functions in escaped sql strings.
  • 2013-03-22 Switch update checks to json to prevent object injection hacks.
  • 2013-03-02 Make sure the admin password is hashed when inserting the admin user on an already installed Vanilla.
  • 2012-12-12 Fix Facebook plugin for the 5 Dec 2012 Facebook update.
  • 2012-10-13 Add class attributes for all the menu item elements.
  • 2012-10-13 Ignore eclipse project files.
  • 2012-09-11 Add the cache-control logic from the 2.1 branch.
  • 2012-04-11 Add the proper username parameter to profile/edit.
  • 2012-04-11 Filter activity, discussion, and comment forms.
  • 2012-03-26 Added Gdn_Model->FilterForm() to help prevent user from posting unauthorized database values.
  • 2012-04-11 Fixed security hole where on profile/picture and profile/preferences. Allow moderators to change users' pictures from the profile page.
  • 2012-04-03 Added joomla password hashing.
«13

Comments

  • @Todd are the links to the single file and raw downloads correct. The date of the revisions shows it to be two years old or I am missing a concept.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • x00x00 MVP
    edited April 2013
     $ diff -s class.sqldriver1.php class.sqldriver.php
     Files class.sqldriver1.php and class.sqldriver.php are identical
    

    If you take the bundled file

    311a312,318
    
         //$ValueStr = var_export($Value, TRUE);
         $ValueStr = 'ARRAY';
         Deprecated("Gdn_SQL->ConditionExpr(VALUE, {$ValueStr})", 'Gdn_SQL->ConditionExpr(VALUE, VALUE)');
         
         if ($EscapeValueSql)
            throw new Gdn_UserException('Invalid function call.');
         
    
    2050c2057
    < }
    \ No newline at end of file
    ---
    

    }

    grep is your friend.

  • ToddTodd Vanilla Staff

    Thanks guys. I forgot to push.

  • peregrineperegrine MVP
    edited April 2013

    If you don't wan't to overwrite every single file then the one file that needs to be changed is here (raw download here).

    FYI @Todd - these links appear to be broken

    it looks like what x00 posted is indeed the change needed for just a single file.

    http://vanillaforums.org/discussion/comment/179705/#Comment_179705

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • One can also just download the 2.018.8 package and only take that file to switch it out right?

  • phreakphreak MVP
    edited April 2013

    I would really love the option to update just the files that have changed between versions. anyone knows a simple trick or can you Vanillas provide a repo with just those changed?

    Why? I guess a lot of people who had to code into the core to make language modifications that were not covered by the locale (quite a lot sind 2.0.X) could upgrade way easier that way.

    I now use a comparison tool, but that is also not the most easiest to make those files out.

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
  • @phreak just replace the class.sqldriver.php , download the whole package then ftp to overwrite the file into

    forum/library/database

    Nothing broke when I did that so it should be fine did it to several other installations.

  • 50sQuiff50sQuiff ✭✭
    edited April 2013

    Thanks for the ongoing support and vigilance about security.

  • Where is a changelog for 2.0.18.7?

  • you can download the package here http://vanillaforums.org/addon/vanilla-core

    if you don't want to overwrite everything then only replace that file.

  • YAY!

  • Hi, I am running 2.0.18.4. What are the upgrade procedures from 2.0.18.4 to 2.0.18.8 (apart from backing up :) )?
    I ask because here, http://vanillaforums.org/addon/vanilla-core , I can see that 2.0.18.7 has also been released . Should I install 2.0.18.7 first and then 2.0.18.8? Or will the 2.0.18.8 package take care of everything?

  • 50sQuiff50sQuiff ✭✭
    edited April 2013

    You could look here to see which files have been changed and copy the new versions manually: https://github.com/vanillaforums/Garden/commits/2.0

    @phreak I think this is what you were looking for as well.

  • @unixhero said:
    Hi, I am running 2.0.18.4. What are the upgrade procedures from 2.0.18.4 to 2.0.18.8 (apart from backing up :) )?
    I ask because here, http://vanillaforums.org/addon/vanilla-core , I can see that 2.0.18.7 has also been released . Should I install 2.0.18.7 first and then 2.0.18.8? Or will the 2.0.18.8 package take care of everything?

    Backup everything. Overwrite your 2.0.18.4 files with the ones from 2.0.18.8 You don't need to install 2.0.18.7

    There was an error rendering this rich post.

  • ToddTodd Vanilla Staff

    @phreak said:
    I would really love the option to update just the files that have changed between versions. anyone knows a simple trick or can you Vanillas provide a repo with just those changed?

    Git is exactly for this kind of thing. You fork our repo and make your changes and then merge when we do a release.

  • So no one has a changelog for 2.0.18.7? I could go through the GitHub commit log but something more readable would be nice...

    By the way, the ".gitignore" file is being included in the releases

  • ToddTodd Vanilla Staff

    @Subjunk, I added the log to the original post.

    Wrt the .gitignore, I'm just doing the release via git archive which is a bit nicer imo. The .gitignore is just a small side-effect of that.

  • Thanks for the quick response. For my own education can you point out which change addresses this problem?

  • ToddTodd Vanilla Staff
    edited April 2013

    The specific commit that addressed the issue is here. Please note though that there is at least one other important security update in the release.

  • AprecheApreche
    edited May 2013

    I think there is still a major security flaw in 2.0.18.8.

    I always have kept my forum in approval mode. I manually approve every new member. Like many, I had problems with bots spamming the application form, but none of them got through to become members.

    About a month ago, the application spam was significantly reduced. I figured the bots gave up. Apparently they didn't. They just found a way to bypass the application and become members. I went through and deleted all the bad users. There were only 100 or so, so I used SQL to delete them and their content.

    My forum is fully upgraded, so there is definitely still something fishy going on. Also, it would be nice if there was a user interface that allowed deleting users in bulk, so it's easier to recover from those cases where spam does get through. Trying to do it by hand one at a time in the Dashboard was awful having to go through those extra confirmation pages.

    I have entirely disabled new applicants to my forum until this issues is resolved.

Sign In or Register to comment.