HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Dec 2013 Security Update: 2.0.18.10 and 2.1b2
There is an in-the-wild exploit targeting the update checker in 2.0.18 and 2.1.
If you are running 2.0.18.x, please upgrade HERE.
if you are running a 2.1 beta, please manually update your install by deleting the lines in UtilityController and settings.js indicated here: https://github.com/vanillaforums/Garden/commit/91904fa108a8a5011f684a990fd117ea8ff3625c
That is also the only change made in 2.0.18.10 if you want to selectively apply it.
This release completely removes the update checker.
12
Comments
First, i was a bit irritated because the UtilityController doesn't hold the lines mentioned on GitHub under 2.0.18.9. I guess this were adds done in 2.1.
Settings is clear.
Just mentioning it, so others are not confused for this 2nd the same way i as.
Thanx Lincoln!
@phreak The only thing different between the 2 versions is the line numbers. The same methods were removed from both.
Uh, yes thanx. I was a bit tired when this came in.
if you selectively download or making changes in vanilla 2.0.18.x without downloading entire core, you should update your index.php on your forum as well so your dashboard reflects the proper version.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Is this update required if someone downloads the beta today?
Depends on whether you get it from Github or the Addons site. With Addons site look at the date of the file version
There was an error rendering this rich post.
@openletter Yes. We haven't released a new beta for the security fix.
you guys might want to address this as a "public service" if you ever have 2.0.18.11 - it is happening to multiple folks who are not that familiar with the potential problem of using "remove" from the dashboard and don't have a properly set up host site to deal with incorrect permissions crawling up the tree.
http://vanillaforums.org/discussion/25814/please-help-all-plugins-folder-just-disappeared-not-good
yes. for 2.1b2 it is fixed but doesn't help the people with 2.0.18 releases.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
https://github.com/vanillaforums/Garden/commit/ab3b98e086dd7ac4211fbce98ddb567d726d01d7
Is this update needed for 2.0.18.10 or is it that the fixed version?
@review That is the fixed version, as much as I know. Correct me if I'm wrong, please.
The code editing only prescribes to Beta versions of 2.1. I'm not sure if it's required on Alpha versions though.
@Lincoln Is this fixed in Vanilla 2.2.5?
Master branch always has any security fixes, yes.
This was an extremely dangerous issue which enabled arbitrary code execution by any registered user. I really, really hope that everyone has this update and I'm worried that not enough was done to promote it.
It was released on RSS, we emailed everyone who is subscribed, and we had it pinned to the top of the site until it was replaced by 2.0.18.11. What do you suggest we do beyond that?