HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Vanilla 2.1.3 - security release
Announcing the availability of 2.1.3, a security & bug fix release for the 2.1 branch.
This is an important security release for all users of 2.1.
- 3 newly discovered XSS vectors were fixed.
- The timezone bug introduced in 2.1.1 is fixed.
- Fixes invalid DeliveryType in plugins management.
The diff is here. 6 files changed in total.
Thanks to Dingjie Yang of Qualys, Inc for 2 of the XSS reports, and Jason Barnabe for the third. We greatly appreciate responsible security reports, which can be directed to support [at] vanillaforums.com.
Hat tip to @bleistivt for making sure the timezone bug was properly filed on GitHub so it wasn't missed for this release.
13
Comments
Where's 2.0.18.14?
Only 1 of these 3 XSS exploits found in 2.1 are possible in 2.0.18.13, and it's quite a trick to pull off, and it will only work if your target is running IE8 or below. I'll patch it soon, but it won't be this week; I've run out of time.
Will this update on its own in my Joomla in the back of my go daddy. Sorry Im a noob.
I'm sorry, I don't understand the question.
@Linc I installed my theme and did everything from the backend of Go Daddy and Joomla. I says update from the back of Go Daddy just not sure how to do so.
@dportis I'm not familiar with GoDaddy's system. I suspect you may need to wait for them to update to the latest version. You should contact them directly with any questions.
@Linc Awesome thank you
Don't use installers that come in the some hosts panel. Install vanilla yourself using the installation instructions.
grep is your friend.
Okay thank you. @x00 can you help me with my Facebook and Twitter log in?
This release seems to have introduced a bug in global.js
In Safari I'm getting
TypeError: 'undefined' is not a function (evaluating 'gdn.url('/utility/sethouroffset.json')') in global.js:313
@peregrine thanks for taking the time to look into this... I'm currently not using vanilla in production, so I'll just revert to 2.1.1 until someone comes out with a proper fix.
if a moderator wants to delete all my previous comment clutter or blank them out in this discussion thread, since they don't apply and confuse the issue. And this sums it all up that would be great.
if the hour offset in user table doesn't match the hour offset on the client's computer derived by js.
pretty much all functionality in vanilla is lost due to a js error. cog wheels won't work, button bar won't work, admin can't sign out if there hour is off, to name just a few problems
https://github.com/vanilla/vanilla/issues/2071
@linc in my continuing obsession with global.js
I left the same functions, but rearranged timeoffset placement and it works better I think.
if the user table has an offset that doesn't match client houroffset now it will not create a js crash and gdn.url is defined.
it now correctly works with this positional change in code
take this code and move it to
https://github.com/vanilla/vanilla/blob/2.1/js/global.js#L309
to here
https://github.com/vanilla/vanilla/blob/2.1/js/global.js#L1177
so in the end the lines are delete from 309 -316 are deleted and inserted in the position shown above.
actually if you wanted everything between lines 25 to 86 could be moved into position here
https://github.com/vanilla/vanilla/blob/2.1/js/global.js#L25
through
https://github.com/vanilla/vanilla/blob/2.1/js/global.js#L86
https://github.com/vanilla/vanilla/blob/2.1/js/global.js#L1177
below is a modified global.js you can extract and replace that has the 5 or 6 line movement of lines.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
the above zip can be extracted and copy it over the global.js in
/js/golobal.js
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
I was not able to manage category in back-end. Impossible to select & drag categories orders.
However, I solved it by editting '/js/global.js'
As peregrine metioned above, I moved that code from line 309 into 1177.
Now my category managing feature works well.
The MeBox not work correctly after update.
EDIT:
Dashbooard, MeModule, Inbox andmore not work correctly after update.
I reuse Vanilla 2.1.1.
Can someone download 2.1.1 and 2.1.2 and do a comparison? We can't have people ignoring XSS bugs because javascript doesn't work, that's not smart.
Since @peregrine is obsessed with global.js, I'm asking you, can you do it please? I always used WinMerge to compare those versions, long time ago.
There was an error rendering this rich post.
True, I would upgrade to 2.1.2 - it is more secure than 2.1.1 but I would make one of the change options below.
there is already a comparison. linc posted a diff.
https://github.com/vanilla/vanilla/compare/217901796812bb3bbff6c2a76e6d02999a2b6346...47cb085066596c2003a016783a3c19f434e6775c
the simple change is upgrade and just modify the global.js or keep the old 2.1.1 global.js
upgrade to 2.1.2 and keep a copy the old global.js from 2.1.1 which doesn't break the js and copy it over the 2.1.2 installation. The js change has nothing to do with the XSS bugs.
or reposition the lines suggested in my previous comment.
or use the global.js I zipped up which fixes the intended houroffset bug, without breaking other things in the process.
or copy 5 of the files and NOT global.js
it will fix the XSS vulnerabilities w/o the backport of global.js
In 2.1.2 there was a backport of houroffset fix to global.js, it was just placed in a sub-optimal place in code.
the introduction of two separate diverging forks of vanilla even number and odd number
e.g.
2.1 (and 2.3 in future) for open-source
2.2 (and 2.4 in future) for hosted
makes it really hard for the developers in some respects ( duplication, maintenance upgrades backporting security fixes extra qc). , but allows them to maintain more features in hosted version. I don't envy maintaining two separate diverging forks.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Maybe someone, preferably a moderator, could make a new zip of Vanilla 2.1.2 with the global JS bug fixed and upload it here.
I think it really hurts the software if the newest version people should download is in a somewhat broken state.
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
True. but ....
then 2.1.2 would be two versions. and that would lead to more complications.
2.1.2a or 2.1.3 would be better but index.php should reflect that.
someone should call Lincoln or Todd on the phone to alert them. they must have their e-mail turned off i sent the Admins in North America (Adrian, Todd and Linc) a pm last night, but expectations of them working on weekends is probably unreasonable.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
Yes, a new version number would be better.
Something should be done, because the situation right now encourages people not to update and people will be sceptical about updates in the future.
Even worse, people have broken forums and they don't even notice it (but their users do).
My themes: pure | minusbaseline - My plugins: CSSedit | HTMLedit | InfiniteScroll | BirthdayModule | [all] - PM me about customizations
VanillaSkins.com - Plugins, Themes and Graphics for Vanillaforums OS
True. Affected users on a particular forum may not be able to post or use buttonbar either to alert forum owner.
i suspect it will be sorted out soon. sent kasper and tim a message too
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.