HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.1.9 released

If you have difficulty upgrading, please start a new discussion for assistance.

This release addresses two security issues and a few other bugs.

Download it now: http://vanillaforums.org/addon/vanilla-core-2.1.9

Upgrade Steps

  • Backup your database, .htaccess and conf/config.php file somewhere safe.
  • Upload the new release's files so they overwrite the old ones.
  • Go to yourforum.com/index.php?p=/utility/update to force any updates needed.
  • If it fails, try it a second time by refreshing the page. More troubleshooting tips.

To upgrade to 2.1.9 directly from 2.0.x, add this step:

  • Delete the file /themes/mobile/views/discussions/helper_functions.php
  • Delete the file /applications/dashboard/views/default.master.php (note the PHP extension, not TPL)

Security Patches in 2.1.9

  • Fixes a SQL injection vulnerability.
  • Fixes an XSS vulnerability.

Hat tip to ZeniMax Online Studios' security team for disclosing both vectors.

Other changes in 2.1.9

  • Fixes GetUnread behavior
  • Fixes missing class in Discussion Options
  • Debugger addon now also toggles Debug config setting.
  • PermissionCategory() has been backported so FileUpload is now fully backwards compatible with 2.1.

Big thanks to @R_J, @Bleistivt, and @hgtonight for these contributions to 2.1.9!

7 files changed. View the diff. We recommend against doing partial upgrades. Never modify core files; put your changes in a plugin or theme. Troubleshooting tips.

The 2.1 branch is slowing down in anticipation of the release of 2.2. The staff are only contributing security fixes, and we are no longer accepting large change sets. It's possible this release will end the 2.1 series if no further security issues are discovered. See the road to 2.2 for more details about the next release.

«1

Comments

  • chanhchanh ✭✭

    Upgrade upgrade to 2.1.9, the none default admin user lost access to the dashboard. How to fix it?

    Thanks

  • chanhchanh ✭✭

    I figure out. The upgrade reset the none admin value to 0 I have to manually set it to 1 again.

    Is that by design?

  • @chanh said:
    I figure out. The upgrade reset the none admin value to 0 I have to manually set it to 1 again.

    Is that by design?

    Vanilla now only has one super admin after a structure update: https://github.com/vanilla/vanilla/commit/fdfb4aaaa79cd497db7af08332a148134ed892c5

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • BleistivtBleistivt Moderator

    @chanh If you really need a second super admin, you can set the field to 2 which will persist after a structure update.

  • Is there any documentation to go with this upgrade? I still haven't recovered everything from the last upgrade which crashed my forum. Also, have you resolved the very complex method for changing the locale folder, which has never worked - or are you now allowing users access to the HTML instead so they can get rid of things like 'Howdy Stranger' and make simple changes to titles without going near a Locale?

  • R_JR_J Admin
    edited March 2015

    If you search hard, you might be able to find upgrade tips here: http://vanillaforums.org/discussion/29555/discussion-with-well-hidden-information

    You are asking if they changed their system design and users are now having to search through all source files in order to translate the forum? I guess not. Having only one locale file that has to be translated is the preferred method for most users...

    But it is up to you: if you prefer changing source, you can do so. But that will crash the update... Oops! I have a déjà-vu :naughty:

  • chanhchanh ✭✭

    @hgtonight said:
    Vanilla now only has one super admin after a structure update: https://github.com/vanilla/vanilla/commit/fdfb4aaaa79cd497db7af08332a148134ed892c5

    I see but what is the reason for doing so?
    Thanks

  • @chanh said:

    Security. The whole idea of a super admin is there is only supposed to be one, it is much better to rely on the roles/permission system.

    grep is your friend.

  • chanhchanh ✭✭

    From my point of view, there should be at least two super admin so you will have a way to recover if something bad happen to the one super admin otherwise you might get lock out and can't recover.

  • @chanh said:
    From my point of view, there should be at least two super admin so you will have a way to recover if something bad happen to the one super admin otherwise you might get lock out and can't recover.

    It is trivially simple to recover with database access.

  • @Linc said:
    It is trivially simple to recover with database access.

    And if you haven't got database access, you probably shouldn't be super admin.

    grep is your friend.

  • chanhchanh ✭✭

    In case someone hack and change the super admin password, via database access, can I just copy over my known password hash and login to super admin account?

    Thanks

  • R_JR_J Admin

    If someone hacks your database, you better roll back to an uncompromised backup.

  • BleistivtBleistivt Moderator

    @chanh What R_J said - but yes, that would work.

  • x00x00 MVP
    edited March 2015

    You shouldn't store the hash anywhere else. You can reset it. If you are using Vanilla HashMethod, just insert the password unhashed, as soon as you logon it will be converted to a hashed version. that is one of the cool touches, (which only applies to that hash method)

    grep is your friend.

  • chanhchanh ✭✭

    oh, that's cool! I didn't know that. Thanks

    @x00 said:
    You shouldn't store the hash anywhere else. You can reset it. If you are using Vanilla HashMethod, just insert the password unhashed, as soon as you logon it will be converted to a hashed version. that is one of the cool touches, (which only applies to that hash method)

  • Have installed it from fresh on a new site http://droneflyers.club/

  • I've never understood this line in the upgrade instructions

    "Upload the new release's files so they overwrite the old ones."

    So overwrite your existing Plugins and Themes directories? Seems like a bad idea...

  • Oh, and should you be concerned if the update page says 'the update was not successful' but if you just go and login to the dashboard you're on the correct version?

  • R_JR_J Admin

    @Simeon_Griggs said:
    I've never understood this line in the upgrade instructions

    "Upload the new release's files so they overwrite the old ones."

    So overwrite your existing Plugins and Themes directories? Seems like a bad idea...

    You should never ever edit a core file. That way, overwriting is not harmful. If you like to create a custom theme by altering an existing theme, copy it first and make it your own. If you improve a plugin by changing the code, copy it first and make it your own plugin. That way you are always save.

    The only file that you might have changed and that could be overwritten is the .htaccess file. So keep a copy of that. The rest of the file could be overwritten as often as you like without any effect (if you haven't messed with the core files)

Sign In or Register to comment.