HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Security Update: Vanilla 2.0.18.8
Even though Vanilla 2.1 is just around the corner we are still supporting 2.0.18.* installations. To this end we've released an important security update that should be applied immediately to anyone running 2.0.18.*. The new version can be found here.
If you don't wan't to overwrite every single file then the one file that needs to be changed is here (raw download here).
This is an important security update so please update your installation.
Changes
- 2013-04-05 Check for FilterForm() before calling it.
- 2013-04-04 Disable the ability to call functions in escaped sql strings.
- 2013-03-22 Switch update checks to json to prevent object injection hacks.
- 2013-03-02 Make sure the admin password is hashed when inserting the admin user on an already installed Vanilla.
- 2012-12-12 Fix Facebook plugin for the 5 Dec 2012 Facebook update.
- 2012-10-13 Add class attributes for all the menu item elements.
- 2012-10-13 Ignore eclipse project files.
- 2012-09-11 Add the cache-control logic from the 2.1 branch.
- 2012-04-11 Add the proper username parameter to profile/edit.
- 2012-04-11 Filter activity, discussion, and comment forms.
- 2012-03-26 Added Gdn_Model->FilterForm() to help prevent user from posting unauthorized database values.
- 2012-04-11 Fixed security hole where on profile/picture and profile/preferences. Allow moderators to change users' pictures from the profile page.
- 2012-04-03 Added joomla password hashing.
11
Comments
@Todd are the links to the single file and raw downloads correct. The date of the revisions shows it to be two years old or I am missing a concept.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
If you take the bundled file
grep is your friend.
Thanks guys. I forgot to push.
FYI @Todd - these links appear to be broken
it looks like what x00 posted is indeed the change needed for just a single file.
http://vanillaforums.org/discussion/comment/179705/#Comment_179705
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
One can also just download the 2.018.8 package and only take that file to switch it out right?
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
I would really love the option to update just the files that have changed between versions. anyone knows a simple trick or can you Vanillas provide a repo with just those changed?
Why? I guess a lot of people who had to code into the core to make language modifications that were not covered by the locale (quite a lot sind 2.0.X) could upgrade way easier that way.
I now use a comparison tool, but that is also not the most easiest to make those files out.
@phreak just replace the class.sqldriver.php , download the whole package then ftp to overwrite the file into
forum/library/database
Nothing broke when I did that so it should be fine did it to several other installations.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
Thanks for the ongoing support and vigilance about security.
Where is a changelog for 2.0.18.7?
you can download the package here http://vanillaforums.org/addon/vanilla-core
if you don't want to overwrite everything then only replace that file.
❌ ✊ ♥. ¸. ••. ¸♥¸. ••. ¸♥ ✊ ❌
YAY!
Hi, I am running 2.0.18.4. What are the upgrade procedures from 2.0.18.4 to 2.0.18.8 (apart from backing up )?
I ask because here, http://vanillaforums.org/addon/vanilla-core , I can see that 2.0.18.7 has also been released . Should I install 2.0.18.7 first and then 2.0.18.8? Or will the 2.0.18.8 package take care of everything?
You could look here to see which files have been changed and copy the new versions manually: https://github.com/vanillaforums/Garden/commits/2.0
@phreak I think this is what you were looking for as well.
Backup everything. Overwrite your 2.0.18.4 files with the ones from 2.0.18.8 You don't need to install 2.0.18.7
There was an error rendering this rich post.
Git is exactly for this kind of thing. You fork our repo and make your changes and then merge when we do a release.
So no one has a changelog for 2.0.18.7? I could go through the GitHub commit log but something more readable would be nice...
By the way, the ".gitignore" file is being included in the releases
@Subjunk, I added the log to the original post.
Wrt the .gitignore, I'm just doing the release via git archive which is a bit nicer imo. The .gitignore is just a small side-effect of that.
Thanks for the quick response. For my own education can you point out which change addresses this problem?
The specific commit that addressed the issue is here. Please note though that there is at least one other important security update in the release.
I think there is still a major security flaw in 2.0.18.8.
I always have kept my forum in approval mode. I manually approve every new member. Like many, I had problems with bots spamming the application form, but none of them got through to become members.
About a month ago, the application spam was significantly reduced. I figured the bots gave up. Apparently they didn't. They just found a way to bypass the application and become members. I went through and deleted all the bad users. There were only 100 or so, so I used SQL to delete them and their content.
My forum is fully upgraded, so there is definitely still something fishy going on. Also, it would be nice if there was a user interface that allowed deleting users in bulk, so it's easier to recover from those cases where spam does get through. Trying to do it by hand one at a time in the Dashboard was awful having to go through those extra confirmation pages.
I have entirely disabled new applicants to my forum until this issues is resolved.