HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options
Vanilla 2.8.4 is now available for download - Important security patches
charrondev
Developer Lead (PHP, JS)Montreal Vanilla Staff
Get it right here: https://open.vanillaforums.com/addon/vanilla-core-2.8.4
This release contains CRITICAL security patches.
- Patched SSRF in HTTP client.
- Updated release file system permissions to be less permissive.
It has been brought to our attention that our file system permissions were far to open in our open source releases. These concerns were initially dismissed because in our version control repository and on all of our infrastructure the permissions were correct.
Thanks to the insistence of @R_J I discovered a bug in our OSS release build tool that reset all of the file permissions to 777 (very dangerous).
Starting in this release file system permissions are essentially 755 for directories and 644 for files.
Please upgrade to the latest version of Vanilla as soon as possible. No other changes from 2.8.3 are in this version.
13
Comments
Update done. Everything's ok! Good job! Thanks!
May I suggest 775 for folders in the future? On a default setup, this is still quite safe as the HTTP client is in its own group. On more creative setups (cough like mine cough), it provides great flexibility in permissions management without needing to modify it every update.
I use 775 for /cache, /conf and /uploads and 755 for the rest.