Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

! Vanilla 1.0.3 Released !

2

Comments

  • StashStash
    Worked for me, but I *did* have to CHMOD the file back to whatever it was before I changed it. Besides, that only stopped me activating and deactivating extensions :D
  • MarkMark Vanilla Staff
    edited December 2006
    @PassingShot: Are you sure you did it correctly? My extensions.php file looks like this:

    <?php // Make sure this file was not accessed directly and prevent register_globals configuration array attack if (!defined('IN_VANILLA')) exit(); // Enabled Extensions

    ... followed by my enabled extensions...
  • MinisweeperMinisweeper New
    Just one thing, Mark, isnt that entire file rewritten each time extensions are enabled/disabled? Or does vanilla just cut out lines and add lines as necessary?
  • NickENickE New
    edited December 2006
    I don't believe it is mini. You'll notice that in /library/Framework/Framework.Control.ExtensionForm.php, the extension file is read into an array, and inclusion lines are added/deleted from the array to enable/disable extensions.
  • MinisweeperMinisweeper New
    Fair enough then.
  • MarkMark Vanilla Staff
    What SirNot said.
  • finferflufinferflu
    I've got exactly the same problem as PassingShot, the page won't load and stay blank. This is my conf/extensions.php:
    <?php
    // Make sure this file was not accessed directly and prevent register_globals configuration array attack
    if (!defined('IN_VANILLA')) exit();
    // Enabled Extensions
    include($Configuration['EXTENSIONS_PATH']."Attachments/default.php");
    include($Configuration['EXTENSIONS_PATH']."WhosOnline/default.php");
    include($Configuration['EXTENSIONS_PATH']."NewApplicants/default.php");
    include($Configuration['EXTENSIONS_PATH']."NewsMailer/default.php");
    include($Configuration['EXTENSIONS_PATH']."GuestWelcome/default.php");
    include($Configuration['EXTENSIONS_PATH']."YellowFade/default.php");
    include($Configuration['EXTENSIONS_PATH']."ConfirmGoBack/default.php");
    include($Configuration['EXTENSIONS_PATH']."BetterBBCode/default.php");
    include($Configuration['EXTENSIONS_PATH']."Quotations/default.php");
    include($Configuration['EXTENSIONS_PATH']."InviteFriends/default.php");
    include($Configuration['EXTENSIONS_PATH']."AddComments/default.php");
    include($Configuration['EXTENSIONS_PATH']."Notify/default.php");
    include($Configuration['EXTENSIONS_PATH']."members_page/default.php");
    include($Configuration['EXTENSIONS_PATH']."ExtendedTextFormatter/default.php");
    include($Configuration['EXTENSIONS_PATH']."comments_permalinks/default.php");
    ?>
    Thank you for your help.
  • TexTex
    @ finferflu: Did you try to CHMOD the file after uploading it?
  • NickENickE New
    @finferflu: Try replacing it with something like if(!defined('IN_VANILLA')) exit('exiting from '.__FILE__);and see if it says anything.
  • finferflufinferflu
    edited December 2006
    @ Tex:

    Yes, I've tried to CHMOD to 666, 665 and 777, but no result.


    @ SirNot:

    That's what it says with your code:
    exiting from /membri/tmc/Vanilla.1/conf/extensions.php
    Thank you guys so far.
  • PolPol
    Hey Mark... setup/index.html still says "Click here to upgrade from Vanilla 0.9.2.x to Vanilla 1.0.1".
  • IanTearleIanTearle
    Can i get Vanilla 1.0.1 still? i would like to use some of the extensions that are only compatable with 1.0.1 or am i missing something and 1.3 does actually run backward extensions???? HELP!
  • PolPol
    edited December 2006
    Any extension that works with 1.0.1 should work exactly the same in 1.0.3.
  • NickENickE New
    @finferflu: When you look in appg/settings.php, do you see a line which looks like the following?define('IN_VANILLA', 1);If not, then that's your problem.
  • finferflufinferflu
    edited December 2006
    Nope, I haven't got that line!
    I've added it at the end, obviously before ?>, then tried again with if (!defined('IN_VANILLA')) exit(); in /conf/extensions.php, but I still get the blank page... Maybe there's something else to do, which I completely ignore...
  • arpecoparpecop
    1 is there any .htaccess solution for this? 2 when we download extension from Vanilla addons ... is there this line added already ? 3 what versions are vulnarable? and can we download old versions of the script? 4 what hacker can do using this line injection (not how) thanks
  • MinisweeperMinisweeper New
    If you read the blog post it gives you a better insight into the problem. Using htaccess is no help in this case, extensions contain the line if their authors have added it (all authors were emailed saying to update their extensions if necessary - i guess if they havent all been updated as appropriate in a week or so i'll go through and do any that need it), versions below 1.0.3 are vulnerable, and hackers can do pretty much whatever they want (it allows them to execute their own php script on your server) assuming register_globals is enabled (if it's not you dont *need* to worry about it).
  • MarkMark Vanilla Staff
    edited December 2006
    @Finferflu - make sure that your appg/settings.php file contains:

    define('IN_VANILLA', '1');

    If it doesn't, then you didn't upload the new appg files properly, and that would cause the change to your conf/settings.php file to cause the entire forum to load blank.
  • jimwjimw
    I have a little problem in that the extensions page does not show the extensions that I have activated. And also, the Pimped extension doesn't work, but maybe I have to download a new version.
  • WallPhoneWallPhone
    Pimped is my only extension that includes other files, but has not been updated yet. It probably needs only the in vanilla check added.
This discussion has been closed.