HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Critical security release: Vanilla 2.3.1

LincLinc Detroit Admin
edited May 2017 in Releases

This upgrade includes:

  • A critical upgrade to the PHPMailer library to prevent remote code execution.
  • Mitigation of a medium-level exploit of the HTTP_HOST header.
  • Additional minor fixes I will detail in a comment.

BEFORE making this upgrade:

IF you run Vanilla in an environment where you explicitly declare HTTP_HOST, for example:

  • Many nginx server setups
  • Using Varnish
  • Using a load balancer

READ the new documentation about how to modify your install to accommodate (quoted below).

FAILURE to heed this will result in a BROKEN upgrade to Vanilla 2.3.1 to the point of it being inaccessible via the web.

If you're using a default Apache setup, you are very likely unaffected by this, and in fact the security patch herein is for you most especially.

I apologize for this ungainly preamble, but the public publication of a medium-severity exploit has forced this half-baked workaround out the door immediately.

Download It Now

Use the standard upgrade steps

If upgrading from 2.2 or earlier, see the 2.3 release discussion.

If you have problems upgrading from 2.3, please report them immediately.

Note that neither of these vulnerabilities effected our cloud customers. I include this note because I know some cloud customers do follow this forum. I will explain further why that is in a comment.

Advanced Handling of Headers

To utilize advanced handling of request and networking headers, it is recommended you make the necessary modifications in a bootstrap.before.php file. You may need to create this file in your config folder, if it does not already exist. The contents of this file are executed at the very beginning of Vanilla's bootstrapping process.

If, for example, you wanted to use the Host header from an incoming request to set the host Vanilla sees, you would add the following into bootstrap.before.php:

    if (isset($_SERVER['HTTP_HOST'])) {
        $_SERVER['SERVER_NAME'] = $_SERVER['HTTP_HOST'];
    }

This will overwrite the host set by the server with the value of the Host header. It is crucial to verify the validity of any such data. If you cannot verify the hosts provided in these headers, do not attempt to use them.

Permanent link to these new docs is here: Advanced Handling of Headers

Comments

  • edited May 2017

    There seems to be no upgrade script in this release, /index.php?p=/utility/upgrade returns a view not found error.
    unzip -l 2ZCYQN977HZZ.zip | grep upgrade also results in nothing.

    Looks like this is maybe an outstanding issue after seeing https://open.vanillaforums.com/discussion/33236/github-upgrading-instructions-are-incorrect#latest , the responses there seem regardless the documentation is wrong here.

  • LincLinc Detroit Admin
    edited May 2017

    The endpoint /utility/update is canonical.

    I'm unclear why the /utility/upgrade alias is used in the docs and why it isn't functioning in 2.3, but the correct solution is always to use /utility/update. I've amended the README on master.

  • donovanbdonovanb
    edited May 2017

    Can we ignore copying over the 'plugins' and 'themes' directory for this fix?

  • LincLinc Detroit Admin

    @donovanb said:
    Can we ignore copying over the 'plugins' and 'themes' directory for this fix?

    Yes.

  • Thx.. successful update. Just an FYI, make sure your file permissions are correct. I had to do:
    chmod -R g-w *.php

  • Maybe OT.. but could you briefly describe 'Add support for 'sso' parameter redirects.'? thanks!

  • JasonBarnabeJasonBarnabe Cynical Salamander ✭✭

    @Linc said:
    IF you run Vanilla in an environment where you explicitly declare HTTP_HOST, for example:

    • Many nginx server setups

    Can you elaborate on this point? Do you mean if I'm doing something special in my nginx config that uses HTTP_HOST, or do you mean something that nginx may be doing without me having configured it?

  • LincLinc Detroit Admin

    @JasonBarnabe said:
    Can you elaborate on this point? Do you mean if I'm doing something special in my nginx config that uses HTTP_HOST, or do you mean something that nginx may be doing without me having configured it?

    If you are blindly accepting the HTTP_HOST header from the request and setting it as a server variable, you are susceptible.

    If you are setting the HTTP_HOST server variable from a white list / manually to the correct value, you are not susceptible.

    If you have a default nginx installation and are unsure which category you fall in, assume you are in the former category and need this patch.

  • LincLinc Detroit Admin
    edited May 2017

    @donovanb said:
    Maybe OT.. but could you briefly describe 'Add support for 'sso' parameter redirects.'? thanks!

    Yes, I am tracking down what the change was with the developer who made it and will update this Monday.

  • Does upgrading from 2.3 to 2.3.1 change the minimum php version from 5.4 to 5.6?

    2.3 says it requires 5.4 here https://open.vanillaforums.com/discussion/32822/vanilla-2-3-is-now-available
    but this page https://github.com/vanilla/vanilla#upgrading says 5.6

  • LincLinc Detroit Admin

    @review No, it does not. That is the requirement for the current master branch.

  • kopnakopna Coimbra Portugal ☯

    @Linc

    This upgrade includes:

    A critical upgrade to the PHPMailer library to prevent remote code execution.
    Mitigation of a medium-level exploit of the HTTP_HOST header.
    Additional minor fixes I will detail in a comment.
    

    Is it possible to upgrade only that relating to the above? Or need a complete update of all files?
    Thank you.

  • R_JR_J Ex-Fanboy Munich Admin

    You can download both versions: 2.3 and 2.3.1 and do a file by file comparison (use a tool like WinMerge for that). Although it would be possible that way to only update the files that have changed, there should be no reason to do so.

    The only reason would be that you have changed core files. If you did so, you should try your best to solve this problem as soon as possible.

  • kopnakopna Coimbra Portugal ☯

    @R_J написал:
    You can download both versions: 2.3 and 2.3.1 and do a file by file comparison (use a tool like WinMerge for that). Although it would be possible that way to only update the files that have changed, there should be no reason to do so.

    The only reason would be that you have changed core files. If you did so, you should try your best to solve this problem as soon as possible.

    Indeed, some files are different. I use vanilla 2.3 Does this mean that I can change only those files that have been updated in vanilla 2.3.1?
    Thank you

  • I have the same thing here...

  • The Font/Background color chooser in the text editor doesn't actually do anything.

    Oddly, I just noticed as I type this that there's not even a menu choice for that in this forum.

Sign In or Register to comment.