CRITICAL: Vanilla 2.1.8 released
This is a critical and time-sensitive security upgrade for all forums. At least one of these issues is being actively exploited.
Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.8p2
UPDATE: We have incremented to "2.1.8p2" to address upgrade issues.
- Backup your database, .htaccess and conf/config.php file somewhere safe.
- Upload the new release's files so they overwrite the old ones.
- Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
- If it fails, try it a second time by refreshing the page. More troubleshooting tips.
To upgrade to 2.1.8 directly from 2.0.x, add this step:
- Delete the file /themes/mobile/views/discussions/helper_functions.php
- Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)
Critical Security Patches in 2.1.8
- Fixes a SQL injection vulnerability.
- Fixes a user registration vulnerability.
Hat tip to ZeniMax Online Studios' security team for disclosing the SQL injection vector.
Changes in 2.1.8
- Hardens the UserModel against potential abuse.
- Stub content being re-created on utility/update on private communities.
- Increase permissions required for massing banning (from
- Collect additional information about mass-banning changes.
- Removes super-admin permissions from secondary accounts on utility update.
- Fixes an issue changing primary keys during utility update
15 files changed. View the diff. We strongly recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme.
If you have difficulty upgrading, please start a new discussion for assistance.