HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Vanilla 2.1.3 - security release

LincLinc Detroit Admin
edited September 2014 in Releases

Announcing the availability of 2.1.3, a security & bug fix release for the 2.1 branch.

This is an important security release for all users of 2.1.

DOWNLOAD HERE

  • 3 newly discovered XSS vectors were fixed.
  • The timezone bug introduced in 2.1.1 is fixed.
  • Fixes invalid DeliveryType in plugins management.

The diff is here. 6 files changed in total.

Thanks to Dingjie Yang of Qualys, Inc for 2 of the XSS reports, and Jason Barnabe for the third. We greatly appreciate responsible security reports, which can be directed to support [at] vanillaforums.com.

Hat tip to @bleistivt for making sure the timezone bug was properly filed on GitHub so it wasn't missed for this release.

«13

Comments

  • LincLinc Detroit Admin
    edited September 2014

    Where's 2.0.18.14?

    Only 1 of these 3 XSS exploits found in 2.1 are possible in 2.0.18.13, and it's quite a trick to pull off, and it will only work if your target is running IE8 or below. :neutral_face: I'll patch it soon, but it won't be this week; I've run out of time.

  • Will this update on its own in my Joomla in the back of my go daddy. Sorry Im a noob.

  • LincLinc Detroit Admin

    @dportis said:
    Will this update on its own in my Joomla in the back of my go daddy.

    I'm sorry, I don't understand the question.

  • @Linc I installed my theme and did everything from the backend of Go Daddy and Joomla. I says update from the back of Go Daddy just not sure how to do so.

  • LincLinc Detroit Admin

    @dportis I'm not familiar with GoDaddy's system. I suspect you may need to wait for them to update to the latest version. You should contact them directly with any questions.

  • @Linc Awesome thank you =)

  • Don't use installers that come in the some hosts panel. Install vanilla yourself using the installation instructions.

    grep is your friend.

  • Okay thank you. @x00 can you help me with my Facebook and Twitter log in?

  • This release seems to have introduced a bug in global.js

    In Safari I'm getting TypeError: 'undefined' is not a function (evaluating 'gdn.url('/utility/sethouroffset.json')') in global.js:313

  • @peregrine‌ thanks for taking the time to look into this... I'm currently not using vanilla in production, so I'll just revert to 2.1.1 until someone comes out with a proper fix.

  • the above zip can be extracted and copy it over the global.js in

    /js/golobal.js

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • I was not able to manage category in back-end. Impossible to select & drag categories orders.

    However, I solved it by editting '/js/global.js'
    As peregrine metioned above, I moved that code from line 309 into 1177.
    Now my category managing feature works well.

  • K17K17 Français / French Paris, France ✭✭✭
    edited September 2014

    The MeBox not work correctly after update.
    EDIT:
    Dashbooard, MeModule, Inbox andmore not work correctly after update.
    I reuse Vanilla 2.1.1.

  • UnderDogUnderDog MVP
    edited September 2014

    Can someone download 2.1.1 and 2.1.2 and do a comparison? We can't have people ignoring XSS bugs because javascript doesn't work, that's not smart.

    Since @peregrine is obsessed with global.js, I'm asking you, can you do it please? I always used WinMerge to compare those versions, long time ago.

    There was an error rendering this rich post.

  • Maybe someone, preferably a moderator, could make a new zip of Vanilla 2.1.2 with the global JS bug fixed and upload it here.
    I think it really hurts the software if the newest version people should download is in a somewhat broken state.

  • peregrineperegrine MVP
    edited September 2014

    @Bleistivt said:
    Maybe someone, preferably a moderator, could make a new zip of Vanilla 2.1.2 with the global JS bug fixed and upload it here.
    I think it really hurts the software if the newest version people should download is in a somewhat broken state.

    True. but ....
    then 2.1.2 would be two versions. and that would lead to more complications.

    2.1.2a or 2.1.3 would be better but index.php should reflect that.

    someone should call Lincoln or Todd on the phone to alert them. they must have their e-mail turned off :) i sent the Admins in North America (Adrian, Todd and Linc) a pm last night, but expectations of them working on weekends is probably unreasonable.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • BleistivtBleistivt Moderator
    edited September 2014

    Yes, a new version number would be better.

    Something should be done, because the situation right now encourages people not to update and people will be sceptical about updates in the future.

    Even worse, people have broken forums and they don't even notice it (but their users do).

  • peregrineperegrine MVP
    edited September 2014

    True. Affected users on a particular forum may not be able to post or use buttonbar either to alert forum owner.

    i suspect it will be sorted out soon. sent kasper and tim a message too :)

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

Sign In or Register to comment.