Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Security update: Vanilla 2.6.4

LincLinc Director of DevelopmentDetroit Vanilla Staff
edited October 31 in Releases

Get it here: https://open.vanillaforums.com/addon/vanilla-core

This release includes 5 security patches disclosed thru our HackerOne bounty campaign. They include fixes for:

  • A remote code execution exploitable only by admins.
  • Two XSS vectors in different parts of the Dashboard.
  • An XSS vector in the OpenID addon (must be enabled) caused by old debug code.

We also made it more difficult to maliciously change a user's email by removing the cooldown period on prompting for your password when an email change is requested.

Warning: If you have any addons (themes or plugins) in your forum install with an invalid key, you will get an error on upgrade and will need to physically delete them from your installation. Fixing them is relatively painless, but a topic for elsewhere. We no longer allow invalid keys due to one of the security vulnerabilities above.

Please upgrade to the latest version of Vanilla as soon as possible. No other changes from 2.6.3 are in this version.

pioc34steam

Comments

  • little problem, there are _config.php and bootstrap.early.php files in /conf folder and they update config.php files... I removed them and everything's ok.

    Riadz
  • LincLinc Director of Development Detroit Vanilla Staff
    edited October 29

    @pioc34 said:
    little problem, there are _config.php and bootstrap.early.php files in /conf folder and they update config.php files... I removed them and everything's ok.

    I've replaced the download as of 5 minutes ago. Thanks for the heads up.

    Roll back to the backup of your config.php as well.

    Apparently there is a new bug in our build process we need to address.

    pioc34
  • It appears that there are unwanted files in the uploads folder, too. I hope that removing them is safe.

    Shadowdare
  • LincLinc Director of Development Detroit Vanilla Staff

    @korelstar said:
    It appears that there are unwanted files in the uploads folder, too. I hope that removing them is safe.

    It is. Thanks for letting us know.

    Shadowdare
  • Pushed the button via Softaculous in Cpanel, painless thus far.

    mauwiks
  • Do I still have to back up my "default.master.tpl" again to preserve my customization for desktop and mobile when I update to this version? I have installed the HTML Editor already. Would it not preserve the customization I made?

  • edited October 31

    I have a problem after update. What do I have to do to fix it?

  • LincLinc Director of Development Detroit Vanilla Staff

    @Ivan_Gurin said:
    I have a problem after update. What do I have to do to fix it?

    It sounds like one of your addons has an invalid key in its info. I suggest disabling your third-party addons and investigating their addon.json (new style) or the key of the $PluginInfo array in the main plugin file (old style).

  • LincLinc Director of Development Detroit Vanilla Staff

    @mauwiks said:
    Do I still have to back up my "default.master.tpl" again to preserve my customization for desktop and mobile when I update to this version? I have installed the HTML Editor already. Would it not preserve the customization I made?

    You should create a new theme containing that file, then select that theme in the Dashboard.

    If you have customized a core Vanilla file directly, then yes, you'd need to beware of that during every upgrade (which is why a simple theme is the correct way to do this).

    mauwiks
  • @Linc said:

    @Ivan_Gurin said:
    I have a problem after update. What do I have to do to fix it?

    It sounds like one of your addons has an invalid key in its info. I suggest disabling your third-party addons and investigating their addon.json (new style) or the key of the $PluginInfo array in the main plugin file (old style).

    I've left only original plugins from core vanilla file and cleared cache, but it still has the error :(

  • LincLinc Director of Development Detroit Vanilla Staff

    @Ivan_Gurin said:
    I've left only original plugins from core vanilla file and cleared cache, but it still has the error :(

    Interesting. Then I'd go a step further and delete non-original plugins from your /plugins folder.

  • LincLinc Director of Development Detroit Vanilla Staff

    I've added a warning to the announcement above regarding invalid addon keys. Clearly we didn't realize so many corrupt addons were out there.

  • mauwiksmauwiks New
    edited October 31

    @Linc said:

    @mauwiks said:
    Do I still have to back up my "default.master.tpl" again to preserve my customization for desktop and mobile when I update to this version? I have installed the HTML Editor already. Would it not preserve the customization I made?

    You should create a new theme containing that file, then select that theme in the Dashboard.

    If you have customized a core Vanilla file directly, then yes, you'd need to beware of that during every upgrade (which is why a simple theme is the correct way to do this).

    If you may, could you give some link on how to create a customized theme in a proper way?

    Anyway, I just upgraded my Vanilla to the latest version and it seems that I don't need to edit anything anymore. Using a plugin such as HTML Editor made my customization stick from the old version to the new update. Unlike what happened before

  • @Linc said:

    @Ivan_Gurin said:
    I've left only original plugins from core vanilla file and cleared cache, but it still has the error :(

    Interesting. Then I'd go a step further and delete non-original plugins from your /plugins folder.

    I've deleted all plugins and locales, cleared cache and still have the error.

    rasis
  • R_JR_J Cheerleader & Troubleshooter Munich Moderator
    edited October 31

    @Ivan_Gurin said:
    I have a problem after update. What do I have to do to fix it?

    I just did the upgrade myself and got exactly the same error as you and it took me a while to find out the reason. In the end it was the premium theme "Flat Responsive" because blanks are not allowed in theme or addon names.

    You need to rename the folder (just replace the blank with a "_" character) and you have to edit the about.php of the file and make the PluginInfo exactly the same as the folder name.

    pioc34
  • edited October 31

    I've written print_r($key) in private method validateKey and found out that in the method passed parameter as array insted of parameter as string:

  • I've found problem. In config.php was wired line in plugins section. I deleted it. And now everything is fine.

  • @Linc

    There are a lot of extra personal files in the update like random uploads, MACOSX files

    I understand the haste, in releasing this so no big deal just pointing it out.

    grep is your friend.

  • LincLinc Director of Development Detroit Vanilla Staff
    edited November 9

    @x00 said:
    MACOSX files

    Can you specify which ones?

    I'll start a PR to get the uploads/ contents out of the build plus whatever else you identify.

  • $ diff -qr 2.6.3 2.6.4 | grep "Only in" | grep -v "2.6.3"
    Only in 2.6.4/conf: .DS_Store
    Only in 2.6.4: __MACOSX
    Only in 2.6.4: uploads
    

    grep is your friend.

    R_J
Sign In or Register to comment.