Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

NEW critical security update: Vanilla 2.6.3

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited September 24 in Releases

All installations must be upgraded to Vanilla 2.6.3 immediately. Please follow the upgrade instructions in the README. (Version 2.6.2 was defective and has been replaced.)

This release contains multiple critical security patches. There are no new features or backwards-incompatible changes.

A security update to the 2.5 branch of Vanilla is also now available as 2.5.6. If you are able to run PHP 7.0+ we strong recommend you do so immediately and upgrade to 2.6.3 (above).

All of the issues patched in these releases were brought to our attention responsibly via our HackerOne campaign, which you can view and participate in by visiting https://hackerone.com/vanilla. We're not aware of any of the issues being exploited in the wild or being otherwise publicized at this time. That said, you should upgrade immediately because it's often easy to infer previous vulnerabilities from the patched code.

Comments

  • Error while updating from 2.6.1 to 2.6.2, Fatal Error in DashboardHooks.dashboardNavModule_init_handler();
    Class 'Vanilla\FeatureFlagHelper' not found

  • Ok. This is my first time trying to update my forum. I have 2.6.1. I downloaded the zip file into winzip. There are a ton of files, do I have to install all of them in cPanel or is there certain files? Or do I just upload the entire zip file?

  • Ok. This is my first time trying to update my forum. I have 2.6.1. I downloaded the zip file into winzip. There are a ton of files, do I have to install all of them in cPanel or is there certain files? Or do I just upload the entire zip file? Also I am happy to pay someone to do this for me. I don’t think I have the technical ‘know how’. Just pm me if you can help me.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    Watch Out!

    That version as of now will crash your dashboard, but there is an easy fix, which @pico34 already showed here

    Since there are security issues addressed in this package, I would advise to not wait until this is patched, but to simply do it yourself - something I normally never would have said... :mrgreen:

    1. Download the zip file from here
    2. Unpack it to your server
    3. Edit /applications/dashboard/structure/class.hooks.php like that:

    Go to line 330 - 337

                ->addLinkIf(
                    \Vanilla\FeatureFlagHelper::featureEnabled('Import') && $session->checkPermission('Garden.Import'),
                    t('Import'),
                    '/dashboard/import',
                    'forum-data.import',
                    '',
                    $sort
                );
    

    Edit line 331 so that it looks like here

                ->addLinkIf(
                    $session->checkPermission('Garden.Import'),
                    t('Import'),
                    '/dashboard/import',
                    'forum-data.import',
                    '',
                    $sort
                );
    

    It is really easy, don't worry.

  • x00x00 MVP
    edited September 24

    @Linc

    I think possibly some stuff got merged in that shouldn't, as I only moved from 2.6.1 to 2.6.2 and the are breaking changes. Beyond the one mentioned. I'm doing a lot of custom stuff, but I got those working for the last update and now not.

    edit it was smarty related. Just removed pass by reference (e.g. &$smarty to $smarty in custom smarty functions)

    grep is your friend.

  • Can I edit class.hooks.php file on my desktop, and then update my server ?
    Or should I make the changes after updating my vanilla forum ?

    By the way, was the vulnerability made public ?

    P.S. . It is /applications/dashboard/settings/class.hooks.php

    @R_J a dit :

    Watch Out!

    That version as of now will crash your dashboard, but there is an easy fix, which @pico34 already showed here

    Since there are security issues addressed in this package, I would advise to not wait until this is patched, but to simply do it yourself - something I normally never would have said... :mrgreen:

    1. Download the zip file from here
    2. Unpack it to your server
    3. Edit /applications/dashboard/structure/class.hooks.php like that:

    Go to line 330 - 337

                ->addLinkIf(
                    \Vanilla\FeatureFlagHelper::featureEnabled('Import') && $session->checkPermission('Garden.Import'),
                    t('Import'),
                    '/dashboard/import',
                    'forum-data.import',
                    '',
                    $sort
                );
    

    Edit line 331 so that it looks like here

                ->addLinkIf(
                    $session->checkPermission('Garden.Import'),
                    t('Import'),
                    '/dashboard/import',
                    'forum-data.import',
                    '',
                    $sort
                );
    

    It is really easy, don't worry.

  • LincLinc Director of Development Detroit Vanilla Staff

    @x00 said:
    it was smarty related. Just removed pass by reference (e.g. &$smarty to $smarty in custom smarty functions)

    That's odd; we haven't changed anything about that as far as I know.

  • LincLinc Director of Development Detroit Vanilla Staff
    edited September 24

    @R_J said:
    That version as of now will crash your dashboard

    Fixing now. Version 2.6.3 incoming.

    It's never a good sign when I wake up in the morning and there's actually comments on the release discussion!

  • LincLinc Director of Development Detroit Vanilla Staff

    Version 2.6.3 is up, now.

  • Softaculous has not yet updated to the latest version, so that is why we should not use auto-installers I assume.

    Since the patches are critical and damage may be done to forums I will report a new version now and I advise all users who still use auto-installers or at least have the option to use to report it too so that Softaculous updates sooner from 2.6.2 to 2.6.3.

    Is 2.6.3 only fixing bugs or also security updates?

    Anyway, thanks to Vanilla Forums developers for informing us and for fixing security issues so quick.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    I'm right in the moment struggling with replacing a softaculous 2.6.1 Vanilla with Vanilla 2.6.3 and I cannot succeed! Really frustrating...

  • @Linc said:

    @x00 said:
    it was smarty related. Just removed pass by reference (e.g. &$smarty to $smarty in custom smarty functions)

    That's odd; we haven't changed anything about that as far as I know.

    yes it was odd.

    @Linc said:

    @R_J said:
    That version as of now will crash your dashboard

    Fixing now. Version 2.6.3 incoming.

    It's never a good sign when I wake up in the morning and there's actually comments on the release discussion!

    Don't worry more important to get the security release out. Minor inconvenience.

    grep is your friend.

  • LincLinc Director of Development Detroit Vanilla Staff
    edited September 24

    @PCTipsGR said:
    Is 2.6.3 only fixing bugs or also security updates?

    2.6.3 is purely a security release. I scrubbed 2.6.2, the first attempt to release the security patches, due to a problem with one of the patches' compatibility. That compatibility fix was the only change between 2.6.2 (yesterday) and 2.6.3 (today).

  • LincLinc Director of Development Detroit Vanilla Staff

    @PCTipsGR said:
    Softaculous has not yet updated to the latest version, so that is why we should not use auto-installers I assume.

    I don't have anything against auto-installers, but I also have no idea how to notify Softaculous or any other third party about new Vanilla releases. They operate on their own schedule.

  • @Linc said:

    @PCTipsGR said:
    Softaculous has not yet updated to the latest version, so that is why we should not use auto-installers I assume.

    I don't have anything against auto-installers, but I also have no idea how to notify Softaculous or any other third party about new Vanilla releases. They operate on their own schedule.

    If you have Softaculous on your server, you can click the "Report New Version" button.

    Otherwise, leave it to us, Softaculous users. Currently the version available is 2.6.2 and since it will just damage my installation, I will not upgrade and wait patiently for Softaculous to update their versions.

    There is always the Contact option too if they are too late on updating and many days have passed.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    @Linc said:

    @PCTipsGR said:
    Softaculous has not yet updated to the latest version, so that is why we should not use auto-installers I assume.

    I don't have anything against auto-installers

    The problem with them is that they alter Vanilla somehow and if anything is not working as expected you can never tell if it is a problem with the original script or caused by the installer.

    Yesterday I've tried to update a 2.6.1 softaculous installation by simply copying the new files into the existing installation and ended with an unexplainable 403 error.
    The end result has been a total wipe of the folder and a clean installation.

    From my point of view auto-installers are great to test a lot of CMS/forum/gallery/whatever scripts, but they suck in production environments.

  • Thanks for the security update. Luckily I didn't see the 262 announce and was able to go right from 261 to 263 without issue.

    So consider this throwing some love to the devs working on this! I know you guys mostly hear from users when things are NOT working!!! Thanks again.

  • For any Softaculous user interested, Softaculous has now upgraded to Vanilla 2.6.3, one day after the patch.

  • @PCTipsGR said:
    For any Softaculous user interested, Softaculous has now upgraded to Vanilla 2.6.3, one day after the patch.

    So is it safe to use Softaculous for the update today?

  • @mauwiks said:

    @PCTipsGR said:
    For any Softaculous user interested, Softaculous has now upgraded to Vanilla 2.6.3, one day after the patch.

    So is it safe to use Softaculous for the update today?

    Of course, there is no problem with that.

    The problem here was that they updated the release only a day afterwards, they had 2.6.2 and as it seems they don't bother checking why it was not good for forums, and only after reporting new version they updated it.

    Also, @R_J said they alter Vanilla somehow so if you install it with Softaculous once, it will be very hard to maintain it yourslef afterwards and will have to wait for Softaculous to make the new version available.


    By the way, making new version available one day after the post is not so bad I think. I should check out on their antagonist, Fantastico F3, and see how they are doing. Currently they have 2.6.3 as latest version, so Fantastico users can also update safely :smile:

  • Okay, thanks for the idea. I'm going to test it out first on dev mode.

  • Couldn't upgrade to 2.6.3 from 2.6.1 successfully using Filezilla - had to keep rolling back. Tried WinSCP instead and it worked perfectly.

  • LincLinc Director of Development Detroit Vanilla Staff

    @Vivant said:
    Couldn't upgrade to 2.6.3 from 2.6.1 successfully using Filezilla - had to keep rolling back. Tried WinSCP instead and it worked perfectly.

    I'd compare settings between the two. Filezilla isn't deficient, but FTP settings can be very finicky. Folder vs file overwrites, hidden files, and other variables can determine behavior.

  • It's strange because I've been using FileZilla for years without an issue - just this release for some reason.

  • LincLinc Director of Development Detroit Vanilla Staff

    @Vivant said:
    It's strange because I've been using FileZilla for years without an issue - just this release for some reason.

    I'm afraid only one of us has FileZilla to determine the root cause of that one. :)

  • When I try to access the notification area, this message appears:

    "The CSRF token is not valid. Please try again."

    Can you help me?

  • LincLinc Director of Development Detroit Vanilla Staff
    edited October 3

    @thiagogoedert said:
    "The CSRF token is not valid. Please try again."

    I think your theme needs an update.

    Check out this update to the MeModule's view, me.php.

    It's possible your theme also has a me.php (or some other way of displaying the notifications menu) that needs the transient key added to it like that.

    Note the line above it where the transient key is first retrieved, too!

    If I were gonna try and hack it, I'd search for /notificationspopin in your theme, and replace it with /notificationspopin?TransientKey='.htmlspecialchars(urlencode(Gdn::session()->transientKey())).

  • @Linc said:

    @thiagogoedert said:
    "The CSRF token is not valid. Please try again."

    I think your theme needs an update.

    Check out this update to the MeModule's view, me.php.

    It's possible your theme also has a me.php (or some other way of displaying the notifications menu) that needs the transient key added to it like that.

    Note the line above it where the transient key is first retrieved, too!

    If I were gonna try and hack it, I'd search for /notificationspopin in your theme, and replace it with /notificationspopin?TransientKey='.htmlspecialchars(urlencode(Gdn::session()->transientKey())).

    Did not work :(

  • @thiagogoedert said:

    @Linc said:

    @thiagogoedert said:
    "The CSRF token is not valid. Please try again."

    I think your theme needs an update.

    Check out this update to the MeModule's view, me.php.

    It's possible your theme also has a me.php (or some other way of displaying the notifications menu) that needs the transient key added to it like that.

    Note the line above it where the transient key is first retrieved, too!

    If I were gonna try and hack it, I'd search for /notificationspopin in your theme, and replace it with /notificationspopin?TransientKey='.htmlspecialchars(urlencode(Gdn::session()->transientKey())).

    Did not work :(

    It would be really helpful if you mentioned the name of the theme you have installed on your forum, or if it is a theme created by you then you could create a new thread asking for help on it and mentioning what you have done (debugging process).

  • ShadowdareShadowdare π Moderator
    edited October 11

    @Linc said:

    @thiagogoedert said:
    "The CSRF token is not valid. Please try again."

    I think your theme needs an update.

    Check out this update to the MeModule's view, me.php.

    It's possible your theme also has a me.php (or some other way of displaying the notifications menu) that needs the transient key added to it like that.

    Note the line above it where the transient key is first retrieved, too!

    I had a theme that gave this error when viewing the notification flyout in the MeModule and adding these transient key changes to the theme fixed it for me.

    Add Pages to Vanilla with the Basic Pages app | Publish articles with the Articles app

Sign In or Register to comment.