HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Dec 2013 Security Update: 2.0.18.10 and 2.1b2

LincLinc Detroit Admin
edited January 2014 in Releases

There is an in-the-wild exploit targeting the update checker in 2.0.18 and 2.1.

If you are running 2.0.18.x, please upgrade HERE.

if you are running a 2.1 beta, please manually update your install by deleting the lines in UtilityController and settings.js indicated here: https://github.com/vanillaforums/Garden/commit/91904fa108a8a5011f684a990fd117ea8ff3625c

That is also the only change made in 2.0.18.10 if you want to selectively apply it.

This release completely removes the update checker.

Comments

  • phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP
    edited December 2013

    First, i was a bit irritated because the UtilityController doesn't hold the lines mentioned on GitHub under 2.0.18.9. I guess this were adds done in 2.1.

    Settings is clear.

    Just mentioning it, so others are not confused for this 2nd the same way i as.

    Thanx Lincoln!

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
  • LincLinc Detroit Admin
    edited December 2013

    @phreak The only thing different between the 2 versions is the line numbers. The same methods were removed from both.

  • phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP
    edited December 2013

    Uh, yes thanx. I was a bit tired when this came in. ;)

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
  • peregrineperegrine MVP
    edited December 2013

    if you selectively download or making changes in vanilla 2.0.18.x without downloading entire core, you should update your index.php on your forum as well so your dashboard reflects the proper version.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Is this update required if someone downloads the beta today?

  • @openletter said:
    Is this update required if someone downloads the beta today?

    Depends on whether you get it from Github or the Addons site. With Addons site look at the date of the file version

    There was an error rendering this rich post.

  • LincLinc Detroit Admin

    @openletter Yes. We haven't released a new beta for the security fix.

  • Is this update needed for 2.0.18.10 or is it that the fixed version?

  • @review That is the fixed version, as much as I know. Correct me if I'm wrong, please.

  • The code editing only prescribes to Beta versions of 2.1. I'm not sure if it's required on Alpha versions though.

  • @Lincoln Is this fixed in Vanilla 2.2.5?

  • LincLinc Detroit Admin

    Master branch always has any security fixes, yes.

  • This was an extremely dangerous issue which enabled arbitrary code execution by any registered user. I really, really hope that everyone has this update and I'm worried that not enough was done to promote it.

  • LincLinc Detroit Admin

    @DaGrFr said:
    This was an extremely dangerous issue which enabled arbitrary code execution by any registered user. I really, really hope that everyone has this update and I'm worried that not enough was done to promote it.

    It was released on RSS, we emailed everyone who is subscribed, and we had it pinned to the top of the site until it was replaced by 2.0.18.11. What do you suggest we do beyond that?

Sign In or Register to comment.