HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

CRITICAL: Vanilla 2.1.8 released

LincLinc Detroit Admin
edited January 2015 in Releases

This is a critical and time-sensitive security upgrade for all forums. At least one of these issues is being actively exploited.

Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.8p2

UPDATE: We have incremented to "2.1.8p2" to address upgrade issues.

Upgrade Steps

  • Backup your database, .htaccess and conf/config.php file somewhere safe.
  • Upload the new release's files so they overwrite the old ones.
  • Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
  • If it fails, try it a second time by refreshing the page. More troubleshooting tips.

To upgrade to 2.1.8 directly from 2.0.x, add this step:

  • Delete the file /themes/mobile/views/discussions/helper_functions.php
  • Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)

Critical Security Patches in 2.1.8

  • Fixes a SQL injection vulnerability.
  • Fixes a user registration vulnerability.

Hat tip to ZeniMax Online Studios' security team for disclosing the SQL injection vector.

Changes in 2.1.8

  • Hardens the UserModel against potential abuse.
  • Stub content being re-created on utility/update on private communities.
  • Increase permissions required for massing banning (from Moderation.Manage to Settings.Manage).
  • Collect additional information about mass-banning changes.
  • Removes super-admin permissions from secondary accounts on utility update.
  • Fixes an issue changing primary keys during utility update

15 files changed. View the diff. We strongly recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme.

If you have difficulty upgrading, please start a new discussion for assistance.



Sign In or Register to comment.