Security update: Vanilla 2.6.4
Get it here: https://open.vanillaforums.com/addon/vanilla-core
This release includes 5 security patches disclosed thru our HackerOne bounty campaign. They include fixes for:
- A remote code execution exploitable only by admins.
- Two XSS vectors in different parts of the Dashboard.
- An XSS vector in the OpenID addon (must be enabled) caused by old debug code.
We also made it more difficult to maliciously change a user's email by removing the cooldown period on prompting for your password when an email change is requested.
Warning: If you have any addons (themes or plugins) in your forum install with an invalid key, you will get an error on upgrade and will need to physically delete them from your installation. Fixing them is relatively painless, but a topic for elsewhere. We no longer allow invalid keys due to one of the security vulnerabilities above.
Please upgrade to the latest version of Vanilla as soon as possible. No other changes from 2.6.3 are in this version.
Comments
little problem, there are _config.php and bootstrap.early.php files in /conf folder and they update config.php files... I removed them and everything's ok.
I've replaced the download as of 5 minutes ago. Thanks for the heads up.
Roll back to the backup of your config.php as well.
Apparently there is a new bug in our build process we need to address.
It appears that there are unwanted files in the
uploadsfolder, too. I hope that removing them is safe.It is. Thanks for letting us know.
Pushed the button via Softaculous in Cpanel, painless thus far.
Do I still have to back up my "default.master.tpl" again to preserve my customization for desktop and mobile when I update to this version? I have installed the HTML Editor already. Would it not preserve the customization I made?
I have a problem after update. What do I have to do to fix it?
It sounds like one of your addons has an invalid key in its info. I suggest disabling your third-party addons and investigating their
addon.json(new style) or the key of the$PluginInfoarray in the main plugin file (old style).You should create a new theme containing that file, then select that theme in the Dashboard.
If you have customized a core Vanilla file directly, then yes, you'd need to beware of that during every upgrade (which is why a simple theme is the correct way to do this).
I've left only original plugins from core vanilla file and cleared cache, but it still has the error
Interesting. Then I'd go a step further and delete non-original plugins from your
/pluginsfolder.I've added a warning to the announcement above regarding invalid addon keys. Clearly we didn't realize so many corrupt addons were out there.
If you may, could you give some link on how to create a customized theme in a proper way?
Anyway, I just upgraded my Vanilla to the latest version and it seems that I don't need to edit anything anymore. Using a plugin such as HTML Editor made my customization stick from the old version to the new update. Unlike what happened before
I've deleted all plugins and locales, cleared cache and still have the error.
I just did the upgrade myself and got exactly the same error as you and it took me a while to find out the reason. In the end it was the premium theme "Flat Responsive" because blanks are not allowed in theme or addon names.
You need to rename the folder (just replace the blank with a "_" character) and you have to edit the about.php of the file and make the PluginInfo exactly the same as the folder name.
I've written print_r($key) in private method validateKey and found out that in the method passed parameter as array insted of parameter as string:
I've found problem. In config.php was wired line in plugins section. I deleted it. And now everything is fine.
@Linc
There are a lot of extra personal files in the update like random uploads, MACOSX files
I understand the haste, in releasing this so no big deal just pointing it out.
grep is your friend.
Can you specify which ones?
I'll start a PR to get the
uploads/contents out of the build plus whatever else you identify.grep is your friend.