HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Security Update: Vanilla 2.0.18.9

ToddTodd Chief Product Officer Vanilla Staff

We've released an important security update that should be applied immediately to anyone running 2.0.18.*. The new version can be found here.

Here is a summary of what we've done:

  • 2013-11-26 Use SafeRedirect() instead of Redirect() in the discussion controller.
  • 2013-11-26 Added TrustedDomains() and SafeRedirect().
  • 2013-11-26 Don't allow user id override on post.
  • 2013-08-25 Fix Flagging security flaw
  • 2013-08-25 Filter discussion title on categories/all
  • 2013-06-20 Comment notifications should only be sent to people with the "NewComment" preference set.
  • 2013-06-13 Twitter: Change api version to 1.1.
  • 2013-05-08 Tagging: Fix xss bug in tagging.
  • 2013-05-02 Do not add linebreaks twice on search.
Tagged:

Comments

  • Thanks. Is it safe to just make the modifications shown in those commits that you have listed?

  • ToddTodd Chief Product Officer Vanilla Staff

    @Shmizzle, it should be yes.

  • Cool, thanks.

  • phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP

    Thanx @Todd.

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
  • 50sQuiff50sQuiff ✭✭
    edited November 2013

    Can anyone explain the significance of "Use SafeRedirect() instead of Redirect() in the discussion controller."?

    Is this to fix some kind of request forgery vuln that isn't caught by a transient key check?

  • ToddTodd Chief Product Officer Vanilla Staff

    @50sQuiff the transient key should offer the protection, but since it is in the url we want to add additional protection. In more current versions of Vanilla we've been making sure that most operations like this are in the POST rather than the GET.

    That being said when we semantically want to offer an "in-site" redirect we want to start using SafeRedirect() because it's the right thing to do and lets us not worry about these kind of attacks. We have a config setting to whitelist other domains which can be used for integrations to other trusted sites.

  • After updating vanilla will all the installed plugins work perfectly.

  • R_JR_J Ex-Fanboy Munich Admin

    @shasha said:
    After updating vanilla will all the installed plugins work perfectly.

    I assume, nobody will dare to answer such a general question with a simple "yes" or "no". Best thing would be to start a new discussion where you list all the plugins you are using.

  • I get "FirstName required" and "Lastname required" when updating to 2.0.18.9 with no user input boxes available. How do I get around this so that I can complete the upgrade?

  • ToddTodd Chief Product Officer Vanilla Staff

    @shasa, R_J is right that we can't say a simple yes or no, but there are no material changes in this release. There are just security fixes.

  • I'm using v2.1b2 on my site right now, but I'm having some problems with it referring to the embed comments function, that it does not work on Wordpress due to an error on a .js file, either from the Wordpress plugin or one of the Vanilla js files, or both.
    Can I "downgrade" from that version to 2.0.18.9 to test if this version works ok? I would like to use the original files included in the 2.0.18.9 package, overwriting only the necessary files to maintain categories, posts, users and avatars. I think that all that information is included on the database, so I assume that I only need to upload the 2.0.18.9 files to another folder, install the forum software as if it was the first time, use a new database (created before the installation process, of course), and then import a backup of my actual database to the new one.
    When I upgraded from 2.0.18.8 to 2.1b2, I had to execute a process to upgrade the database. Do I need to do a similar process to "downgrade" the database to be compatible with 2.0.18.9?

    Thanks in advance.

  • hgtonighthgtonight ∞ · New Moderator

    @Shinji3rd

    2.1b2 is not recommended for production use. It is pretty stable, but 2.0.18.9 is the stable self hosted version.

    I suggest you:

    1. Backup your database/files
    2. Export your data via the porter
    3. Completely wipe your vanilla install (delete everything)
    4. Install a fresh copy of Vanill 2.0.18.9
    5. Import your exported data

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • @hgtonight said:
    Shinji3rd

    2.1b2 is not recommended for production use. It is pretty stable, but 2.0.18.9 is the stable self hosted version.

    I suggest you:

    1. Backup your database/files
    2. Export your data via the porter
    3. Completely wipe your vanilla install (delete everything)
    4. Install a fresh copy of Vanill 2.0.18.9
    5. Import your exported data

    And Only do that if you know what you're doing

    There was an error rendering this rich post.

  • @hgtonight

    I've installed 2.0.18.9 according your advise, and now everything works great. Thank you.

  • CheetahCheetah Australia New

    Cool hearing about those new features and bugs fixes.

  • @Shmizzle said:
    Thanks. Is it safe to just make the modifications shown in those commits that you have listed?

    @Todd said:
    Shmizzle, it should be yes.

    Here's a probably stupid question: what do you mean by “just make the modifications show in those commits”? Is this just upgrading some PHP files? If so, where are they listed?

  • R_JR_J Ex-Fanboy Munich Admin
    edited December 2013

    Here they are ;)

    @Todd said:

    • 2013-11-26 Use SafeRedirect() instead of Redirect() in the discussion controller.
    • 2013-11-26 Added TrustedDomains() and SafeRedirect().
    • 2013-11-26 Don't allow user id override on post.
    • 2013-08-25 Fix Flagging security flaw
    • 2013-08-25 Filter discussion title on categories/all
    • 2013-06-20 Comment notifications should only be sent to people with the "NewComment" preference set.
    • 2013-06-13 Twitter: Change api version to 1.1.
    • 2013-05-08 Tagging: Fix xss bug in tagging.
    • 2013-05-02 Do not add linebreaks twice on search.
  • So how do I upgrade?

  • peregrineperegrine MVP
    edited December 2013

    So how do I upgrade?

    reading the documentation on upgrading on the Vanilla Documentation Page would certainly give you a boost on the process. When all else fails - reading documentation may be a fallback :).

    http://vanillaforums.org/docs/installation-upgrade

    searching the forum for upgrade and duplicate forums and reading the wiki can also provide other insights.

    backup might not be a bad idea either

    http://vanillaforums.org/discussion/21192/which-files-should-i-back-up#latest

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Don't forget : http://vanillawiki.homebrewforums.net/index.php/Upgrading and http://vanillawiki.homebrewforums.net/index.php/Updates and http://vanillaforums.org/discussion/12740/vanilla-2-upgrading-tips but the most important thing is : From 2.0.18.8 to 2.0.18.9 all you do is have to replace the files. No database updates, etc. It all depends on the version you are coming from.

    There was an error rendering this rich post.

Sign In or Register to comment.