Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product
After February 6, this site will no longer have Facebook, Twitter, or OpenID sign-in options. Read our announcement about social media SSO support in 2.8 for more info.

Make sure you have a current, valid email address set in your profile and set a password so you can login without it. If you get locked out after that time, you can choose "Forgot Password" to fix it as long as a valid email is on your account.

Vanilla 2.1.7 released

LincLinc Director of DevelopmentDetroit Vanilla Staff

This is a critical security upgrade for all forums.

Download it now:

9 files changed. View the diff.


  • Fix for CSRF potential in posting & editing discussions.
  • Fix for allowing unauthorized Format changes to discussions (possible XSS vector when combined with the above CSRF).
  • Harden Gdn_Database against MySQL injection attacks by closing possible multiple-query-per-statement vector.

Hat tip to ZeniMax Online Studios' security team for disclosing the SQL injection vector.

Another hat tip to Dingjie Yang of Qualys, Inc for disclosing the CSRF & XSS vectors.

Both these contributors have responsibly disclosed previous security flaws as well, and we deeply appreciate their assistance.

Additional Patches:

  • Fix for "u.Photo isn't in GROUP BY" Fatal Error (thx @Shadowdare‌)
  • Fix for detecting locales in enabled application (thx @hgtonight‌)
  • Fix for IS NULL WHERE clauses (thx @imnotjames‌)
  • Added a new "Class Gdn not found" exception if ini files are out of date to avoid obscure errors (me)

Thanks all!

In other news, we made significant headway in our pull request backlog over the holidays and are moving to get the 2014 ones cleared as quickly as possible. We appreciate the contributions & activity (both on PRs and elsewhere) greatly.



Sign In or Register to comment.