Vanilla 2.1.7 released
This is a critical security upgrade for all forums.
Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.7
9 files changed. View the diff.
- Fix for CSRF potential in posting & editing discussions.
- Fix for allowing unauthorized Format changes to discussions (possible XSS vector when combined with the above CSRF).
- Harden Gdn_Database against MySQL injection attacks by closing possible multiple-query-per-statement vector.
Hat tip to ZeniMax Online Studios' security team for disclosing the SQL injection vector.
Another hat tip to Dingjie Yang of Qualys, Inc for disclosing the CSRF & XSS vectors.
Both these contributors have responsibly disclosed previous security flaws as well, and we deeply appreciate their assistance.
- Fix for "u.Photo isn't in GROUP BY" Fatal Error (thx @Shadowdare)
- Fix for detecting locales in enabled application (thx @hgtonight)
- Fix for IS NULL WHERE clauses (thx @imnotjames)
- Added a new "Class Gdn not found" exception if ini files are out of date to avoid obscure errors (me)
In other news, we made significant headway in our pull request backlog over the holidays and are moving to get the 2014 ones cleared as quickly as possible. We appreciate the contributions & activity (both on PRs and elsewhere) greatly.