Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 1.1.4 Released

245

Comments

  • DinoboffDinoboff
    The only file necessary to fix the vulnerabilities are /ajax/sortcategories.php /ajax/sortroles.php /languages/English/definitions.php /themes/settings_category_list.php /themes/settings_role_list.php

    If you want to use the minify and lighter js file replace /js/*.

    The other files are related to the version numbers.
  • rafcgrafcg
    Dinoboff Thanks for answeres in General Category!! I have still problem after update (and overwriting files) Now all looks ok, but i cant delete posts...(it looks like a is deleting but after few seconds nothing is change...post still is in category.) Also i can't switch on/off extensions. When i try, this comunicat is comming: "There was a problem authenticating your post information" Raf.
  • dan39dan39 New
    Ah.. So I'll assume that means no changes were made to the JS other than minification.
  • MySchizoBuddyMySchizoBuddy
    mine says this define('FRAMEWORK_VERSION', '1.1.4');
    So it should be APPLICATION_VERSION
  • FerasFeras
    edited October 2007
    guys i Saw Error 2 in mark profile !! http://lussumo.com/community/account/1/ see his Vanilla Add-ons by this user A fatal, non-recoverable error has occurred its seems the 1.1.4 had this Error 2 ... =================================== Myschizo define('FRAMEWORK_VERSION', '1.1.4'); so it will work when we add it ?? and what the files .php we should add it to ? Cheers !
  • DinoboffDinoboff
    edited October 2007
    fixed
  • MarkMark Vanilla Staff
    edited October 2007
    Dammit - I can't do an upload for another six hours.
  • MarkMark Vanilla Staff
    Okay - The new package has been uploaded. I'm fixing the addons problem now...
  • MarkMark Vanilla Staff
    Addons problem fixed as well - thanks!
  • TomTesterTomTester New
    edited October 2007
    As per my previous post (sNews Hax0rs, Vanilla & Security (XSS/Exploits protection)) it's important to note that these guys use echo "dork: \"is a product of Lussumo\"\n";
    to identify vulnerable sites using google (search for pages containing the 'dork' code).

    Of course there are other 'identifiers' on a page to use as a 'Dork', but a GRAPHICAL version indicator that is not so easily indexed by search engines can be useful.
    If only because FAILED attacks will result in more warnings for the rest of the community.
  • dan39dan39 New
    edited October 2007
    Just curious, but isn't the "X-Powered-By: Lussumo Vanilla 1.1.x" label that was recently added to Vanilla headers a security vulnerability as well? Is there any reason not to remove it??
  • WallPhoneWallPhone
    The X-Powered-By won't itself appear in search engine results, however, if someone found a Vanilla by searching for, say CommentAuthor CommentTime, they could then grab any page's headers to get the version number.

    Remove it if you want, (it won't break anything) but security by obscurity is not really security at all. In my experience, exploits like this are just run by dumb bots that will try exploits years old for software that isn't even running on your site, if you do so much as appear in a search for the 'dork' keywords.

    At one time, my Linux/Apache server got the same Microsoft/IIS exploit run against it every day for a full month. I still get one about every week. Something as simple as checking the headers would make it clear that they're wasting their time, but it's just a dumb script running against links in a search results page.
  • pbearpbear New
    Not a deal-breaker by any means, but in people.css, lines 19-26:

    body, div, input, textarea, select { font-family: Trebuchet MS, Verdana, Tahoma, Arial; font-size: 12px; color: #062971; } input { font-family: arial; }
    Trebuchet MS needs quotes; the way vanilla.css does it is below. Capital "Arial" is just a nitpick. :) ...

    body, div, input, textarea, select { font-family:'Trebuchet MS', 'Verdana', 'Tahoma', 'Arial', sans-serif; font-size: 12px; color: #062971; } input { font-family: Arial; }
  • DavidKDavidK New
    Are the older versions of Vanilla still available? I have modified some of the files and want to diff against the older version so that I know how to move my changes into 1.1.4 and safely upgrade. I'm looking for 1.1.2 but a link to all older versions would be great.
  • WallPhoneWallPhone
    lussumo.com/downloads
  • DavidKDavidK New
    Thanks muchly.
  • ThaRiddlaThaRiddla New
    Is it necessary to go from 1.1.2 --> 1.1.3 --> 1.1.4 ?
    are there any database or otherwise necessary changes in that process?

    If possible, I'd like to go straight to 1.1.4
  • DinoboffDinoboff
    edited October 2007
    No Database changes, you can update directly to 1.1.4.
  • ThaRiddlaThaRiddla New
    thank you.
  • Simba CubSimba Cub
    Works great, thankyou!
This discussion has been closed.