HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.1.3 - security release

13»

Comments

  • peregrineperegrine MVP
    edited September 2014

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • freelancingcarefreelancingcare Dhaka, Bangladesh

    really great work... in that version Javascript enable error bug fixed and i did not find any bug yet

  • peregrineperegrine MVP
    edited September 2014

    Is it worth posting issues without pull requests. sometimes they are then fixed and changed in master and fixed with no back reference to issue (just left open - no comment or reference or mention in issue of commit or fix or change) just wondering.

    perhaps a response to issue or acknowlegement (within 60days or less if that could work) would get more people posting issues on github, if they found issues.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • LincLinc Detroit Admin

    @peregrine It is. Still working on improving the feedback loop, sorry about that. It's just us losing track.

  • LincLinc Detroit Admin

    I've now git tagged the last few releases I missed. All caught up now.

  • i can't solve comment auto refresh issue in vanilla 2.1.3 please tell me how can i fix it in step by step

  • LincLinc Detroit Admin

    @inno4du said:
    i can't solve comment auto refresh issue in vanilla 2.1.3 please tell me how can i fix it in step by step

    Please start a new discussion for troubleshooting help.

  • Hello. A novice question. I want to upgrade from 2.1 to 2.1.3 and have downloaded the zip package. In the readme the upgrade instructions say to backup the db and config files and overwrite everything... wouldn't that remove the themes I've installed? And there are other mods that have been made elsewhere. Is it possible to just upgrade the 'core' folder or some other subset of files in order to upgrade?

  • LincLinc Detroit Admin
    edited September 2014

    @danielmee A full overwrite should not effect your themes or plugins. Do make sure your FTP client isn't set to overwrite directories (I've rarely ever seen one set to do that, fwiw); I also recommend keeping a copy of your theme backed up as well.

    If you've modified core files, you're in for a painful upgrade. We strongly recommend against modifying the files bundled with Vanilla. You can do nearly anything you need to with a theme and plugins.

    You can attempt to do a diff of 2.1 against 2.1.3 and selectively upgrade files, but I don't recommend that approach as it is easily bungled.

  • peregrineperegrine MVP
    edited September 2014

    edited out. dueling posts.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • chanhchanh OngETC.com - CMS Researcher ✭✭

    I upgraded to 2.1.3 by just copy the entire package without any problem. Just make sure to make a backup in case something bad happen so you can investigate and restore.

  • Not sure where to put this. Just upgraded to this version about a week ago. Seem to have found a 'bug'. We have a few spammers every day, who are BANNED and their accounts are eventually deleted - usually every 30 days or so.

    Well, it was time - So I did a search within 'Users' (in Dashboard) for "BANNED", and instead of seeing 30-40 BANNED accounts, there were almost 2,000! Very surprising since 'USERS' only reported around 950 accounts.

    A further look showed that most of the 2,000 were '[Deleted User}', with a 'user_#######@deleted.email' email address.

    And, as accounts are being deleted, those '[Deleted User]' accounts are apparently being created. They are hidden, and do not show as an account or in the number of total accounts (?).

    AND - they cannot be deleted/removed (at least not easily).

  • hgtonighthgtonight ∞ · New Moderator
    edited October 2014

    @46HudsonPU‌

    User records are soft deleted in Vanilla. Check out https://github.com/vanilla/vanilla/blob/2.1/applications/dashboard/models/class.usermodel.php#L2471-L2526 for a full idea of what is done when you click delete.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • LincLinc Detroit Admin

    @46HudsonPU said:
    Not sure where to put this.

    A new discussion would be a better choice.

  • peregrineperegrine MVP
    edited October 2014

    @46HudsonPU said:
    Not sure where to put this. Just upgraded to this version about a week ago. Seem to have found a 'bug'. We have a few spammers every day, who are BANNED and their accounts are eventually deleted - usually every 30 days or so.

    Well, it was time - So I did a search within 'Users' (in Dashboard) for "BANNED", and instead of seeing 30-40 BANNED accounts, there were almost 2,000! Very surprising since 'USERS' only reported around 950 accounts.

    A further look showed that most of the 2,000 were '[Deleted User}', with a 'user_#######@deleted.email' email address.

    And, as accounts are being deleted, those '[Deleted User]' accounts are apparently being created. They are hidden, and do not show as an account or in the number of total accounts (?).

    AND - they cannot be deleted/removed (at least not easily).

    it was mentioned and decided against. in something similar.

    https://github.com/vanilla/vanilla/issues/1639

    if all content from a user was deleted. see:

    http://vanillaforums.org/discussion/comment/188836/#Comment_188836

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • @Linc said:
    Where's 2.0.18.14?

    Only 1 of these 3 XSS exploits found in 2.1 are possible in 2.0.18.13, and it's quite a trick to pull off, and it will only work if your target is running IE8 or below. :neutral_face: I'll patch it soon, but it won't be this week; I've run out of time.

  • peregrineperegrine MVP
    edited October 2014

    @armash said:

    @Linc said: Where's 2.0.18.14?

    Only 1 of these 3 XSS exploits found in 2.1 are possible in 2.0.18.13, and it's quite a trick to pull off, and it will only work if your target is running IE8 or below. :neutral_face: I'll patch it soon, but it won't be this week; I've run out of time.

    perhaps true. in two months though any new security flaws will NOT be backported to 2.0.18.x, so why not just bite the bullet and upgrade to 2.1.3

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

Sign In or Register to comment.