Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Facebook Sign In with Google Sign In with OpenID Sign In with Twitter
Support for Vanilla Forums Cloud product

In this Discussion

Follow Us


Security Update: Vanilla 2.0.18.8

ToddTodd Chief Product Officer Vanilla Staff
edited April 2013 in Blog

Even though Vanilla 2.1 is just around the corner we are still supporting 2.0.18.* installations. To this end we've released an important security update that should be applied immediately to anyone running 2.0.18.*. The new version can be found here.

If you don't wan't to overwrite every single file then the one file that needs to be changed is here (raw download here).

This is an important security update so please update your installation.

Changes

  • 2013-04-05 Check for FilterForm() before calling it.
  • 2013-04-04 Disable the ability to call functions in escaped sql strings.
  • 2013-03-22 Switch update checks to json to prevent object injection hacks.
  • 2013-03-02 Make sure the admin password is hashed when inserting the admin user on an already installed Vanilla.
  • 2012-12-12 Fix Facebook plugin for the 5 Dec 2012 Facebook update.
  • 2012-10-13 Add class attributes for all the menu item elements.
  • 2012-10-13 Ignore eclipse project files.
  • 2012-09-11 Add the cache-control logic from the 2.1 branch.
  • 2012-04-11 Add the proper username parameter to profile/edit.
  • 2012-04-11 Filter activity, discussion, and comment forms.
  • 2012-03-26 Added Gdn_Model->FilterForm() to help prevent user from posting unauthorized database values.
  • 2012-04-11 Fixed security hole where on profile/picture and profile/preferences. Allow moderators to change users' pictures from the profile page.
  • 2012-04-03 Added joomla password hashing.
UnderDog50sQuiffqbauerhgtonightbusinessdadSrggamermatt
«1

Comments

  • @Todd are the links to the single file and raw downloads correct. The date of the revisions shows it to be two years old or I am missing a concept.

    Monetary Donations will be appreciated if you use my plugins. Thanks in Advance.
    As a waiter gets a tip for a good meal, tips for successful solutions appreciated as well. Peregrine

    UnderDog
  • x00x00 MVP
    edited April 2013
     $ diff -s class.sqldriver1.php class.sqldriver.php
     Files class.sqldriver1.php and class.sqldriver.php are identical
    

    If you take the bundled file

    311a312,318
    >          //$ValueStr = var_export($Value, TRUE);
    >          $ValueStr = 'ARRAY';
    >          Deprecated("Gdn_SQL->ConditionExpr(VALUE, {$ValueStr})", 'Gdn_SQL->ConditionExpr(VALUE, VALUE)');
    >          
    >          if ($EscapeValueSql)
    >             throw new Gdn_UserException('Invalid function call.');
    >          
    2050c2057
    < }
    \ No newline at end of file
    ---
    > }
    

    grep is your friend.

    junyu
  • ToddTodd Chief Product Officer Vanilla Staff

    Thanks guys. I forgot to push.

    UnderDog
  • peregrineperegrine MVP
    edited April 2013

    If you don't wan't to overwrite every single file then the one file that needs to be changed is here (raw download here).

    FYI @Todd - these links appear to be broken

    it looks like what x00 posted is indeed the change needed for just a single file.

    http://vanillaforums.org/discussion/comment/179705/#Comment_179705

    Monetary Donations will be appreciated if you use my plugins. Thanks in Advance.
    As a waiter gets a tip for a good meal, tips for successful solutions appreciated as well. Peregrine

  • One can also just download the 2.018.8 package and only take that file to switch it out right?

  • phreakphreak VanillaSkins.com - #1 Themeshop for Vanilla ✭✭✭
    edited April 2013

    I would really love the option to update just the files that have changed between versions. anyone knows a simple trick or can you Vanillas provide a repo with just those changed?

    Why? I guess a lot of people who had to code into the core to make language modifications that were not covered by the locale (quite a lot sind 2.0.X) could upgrade way easier that way.

    I now use a comparison tool, but that is also not the most easiest to make those files out.

    http://www.VanillaSkins.com - Great Themes For Just $15! :: Also check: Businessdads Plugins

  • @phreak just replace the class.sqldriver.php , download the whole package then ftp to overwrite the file into

    forum/library/database

    Nothing broke when I did that so it should be fine did it to several other installations.

    UnderDog
  • 50sQuiff50sQuiff ✭✭
    edited April 2013

    Thanks for the ongoing support and vigilance about security.

    EdelAliUnderDog
  • Where is a changelog for 2.0.18.7?

    UnderDog
  • you can download the package here http://vanillaforums.org/addon/vanilla-core

    if you don't want to overwrite everything then only replace that file.

    UnderDog
  • Hi, I am running 2.0.18.4. What are the upgrade procedures from 2.0.18.4 to 2.0.18.8 (apart from backing up :) )? I ask because here, http://vanillaforums.org/addon/vanilla-core , I can see that 2.0.18.7 has also been released . Should I install 2.0.18.7 first and then 2.0.18.8? Or will the 2.0.18.8 package take care of everything?

  • 50sQuiff50sQuiff ✭✭
    edited April 2013

    You could look here to see which files have been changed and copy the new versions manually: https://github.com/vanillaforums/Garden/commits/2.0

    @phreak I think this is what you were looking for as well.

  • UnderDogUnderDog Moderator

    @unixhero said: Hi, I am running 2.0.18.4. What are the upgrade procedures from 2.0.18.4 to 2.0.18.8 (apart from backing up :) )? I ask because here, http://vanillaforums.org/addon/vanilla-core , I can see that 2.0.18.7 has also been released . Should I install 2.0.18.7 first and then 2.0.18.8? Or will the 2.0.18.8 package take care of everything?

    Backup everything. Overwrite your 2.0.18.4 files with the ones from 2.0.18.8 You don't need to install 2.0.18.7

  • ToddTodd Chief Product Officer Vanilla Staff

    @phreak said: I would really love the option to update just the files that have changed between versions. anyone knows a simple trick or can you Vanillas provide a repo with just those changed?

    Git is exactly for this kind of thing. You fork our repo and make your changes and then merge when we do a release.

  • So no one has a changelog for 2.0.18.7? I could go through the GitHub commit log but something more readable would be nice...

    By the way, the ".gitignore" file is being included in the releases

  • ToddTodd Chief Product Officer Vanilla Staff

    @Subjunk, I added the log to the original post.

    Wrt the .gitignore, I'm just doing the release via git archive which is a bit nicer imo. The .gitignore is just a small side-effect of that.

    UnderDog
  • Thanks for the quick response. For my own education can you point out which change addresses this problem?

  • ToddTodd Chief Product Officer Vanilla Staff
    edited April 2013

    The specific commit that addressed the issue is here. Please note though that there is at least one other important security update in the release.

  • AprecheApreche
    edited May 2013

    I think there is still a major security flaw in 2.0.18.8.

    I always have kept my forum in approval mode. I manually approve every new member. Like many, I had problems with bots spamming the application form, but none of them got through to become members.

    About a month ago, the application spam was significantly reduced. I figured the bots gave up. Apparently they didn't. They just found a way to bypass the application and become members. I went through and deleted all the bad users. There were only 100 or so, so I used SQL to delete them and their content.

    My forum is fully upgraded, so there is definitely still something fishy going on. Also, it would be nice if there was a user interface that allowed deleting users in bulk, so it's easier to recover from those cases where spam does get through. Trying to do it by hand one at a time in the Dashboard was awful having to go through those extra confirmation pages.

    I have entirely disabled new applicants to my forum until this issues is resolved.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... Moderator

    @Apreche

    Using the BotStop plugin with approval registration stops bots in their tracks.

    This plugin: http://vanillaforums.org/addon/cleanser-plugin may meet your bulk delete needs.

    I have entirely disabled new applicants to my forum until this issues is resolved.

    It may well be a setting on your forum, rather than a vulnerability, so you could have a long wait.

    Searching this forum might help you with your settings.

  • @whu606 Ok, Cleanser seems good, and I know about Botstop. But I don't think you really understand what was happening here. I had approval registration setup. It has been working fine for years. There is definitely no issue with any settings. It wasn't a problem with bots applying. It was a problem with bots getting approved even though I didn't approve them! If that's not a vulnerability of some kind, I don't know what is.

  • whu606whu606 I'm not a SuperHero; I just like wearing tights... Moderator

    @Apreche

    Were they actually members, or just in your gdn_user table?

    Applicants will still be entered into your table until you approve them, so the question is, did they actually get approved as members, or simply bypass your approval setting?

    Did they actually post, and if so, where?

  • They actually became full fledged members. Most of them didn't post at all. A few posted comments on their own profiles, which is why we didn't notice them at first. One of them made a new discussion, which is how we noticed the problem.

  • LincolnLincoln Community Instigator Vanilla Staff

    @Apreche Check /role/defaultroles on your site and make sure they are still set correctly.

    Sr Developer at Vanilla Forums [GitHub, Twitter]

    UnderDog
  • It says that new/approved users should be "Members" and guests should be "Unauthenticated". It's also configured that applicants who are not yet approved should be "Applicants". It's been that way for years.

    Sorry for slow reply, I was out of town.

  • peregrineperegrine MVP
    edited May 2013

    @Apreche said: It says that new/approved users should be "Members" and guests should be "Unauthenticated". It's also configured that applicants who are not yet approved should be "Applicants". It's been that way for years.

    Sorry for slow reply, I was out of town.

     So, if a person applies to your forum do they become Applicant or Member?
     what happens when you test applying for membership using the normal process?
     If they become applicant, what permissions do you have set for applicants?
    

    Monetary Donations will be appreciated if you use my plugins. Thanks in Advance.
    As a waiter gets a tip for a good meal, tips for successful solutions appreciated as well. Peregrine

  • AprecheApreche
    edited May 2013

    I don't know how many times I have to post the same thing before you believe me.

    If you apply to the forum you are an applicant. I tested this. If I apply to the forum for a new account, that account remains an applicant. Even after it confirms it's email address, it is still has the applicant role until it is manually approved.

    Applicants do not have permission to post or do anything but read. They're basically no different than anonymous users.

    Somehow, there were many new accounts that were set to the "Member" role, but were never approved. Some of them posted comments on their own profiles. One of them created a new discussion. These accounts were not manually approved. They never even appeared in the application queue.

    Now that registration is completely disabled, this is no longer happening, but I would like to allow registrations again.

  • peregrineperegrine MVP
    edited May 2013

    @Apreche

    I don't know how many times I have to post the same thing before you believe me.

    we believe it is happening. just trying to get clarifications.
    perhaps one of the other admins or moderators changed it.

    theoretically - no one can change a role without user edit privileges.

    maybe you could start a new thread and post snapshots of the role permissions. form the dashboard. since your question has nothing to do with the topic of the thread.

    it might give some insights

    Monetary Donations will be appreciated if you use my plugins. Thanks in Advance.
    As a waiter gets a tip for a good meal, tips for successful solutions appreciated as well. Peregrine

    TamaUnderDog
  • There are no other admins or moderators. There is no problem with the configuration. It is exactly as I have told you. It has been that way, and working properly, for years. Nobody has ever touched it. Only in the past month or two something changed and due to some exploit bots are bypassing the approval process.

    luckyweiyu
«1
Sign In or Register to comment.