• Upgrade Your Account
    Hello Guest ! Upgrade your account to download from our sections Here.
    How to upgrade your account to download resources Learn More.
    Guest need to see List rather permanently banned Members Learn More.
    Guest need to read through our rules and regulations Learn More.

News XenForo 2.0.3 Released - Includes Security Fix

Status
Not open for further replies.

NullXF

Team NullXF
XF Root
Messages
9,530
Resources
3,360
Likes
3,772
#1
XenForo 2.0.3 is now available for all licensed customers to download. We recommend that all customers running previous versions of XenForo 2.0 upgrade to this release to benefit from increased stability.


Most importantly, this release includes a fix for a security issue that was reported to us by Julien from RCE Security. The issue was not found within XF code itself, but instead a file which we previously included with XF 1.5.x within the Video JS library. The issue is known as an "authentication phishing" exploit which involves posting a specially crafted URL pointed at the Video JS SWF file. This specially crafted URL, when clicked on or embedded in a page, can include another URL which returns a 401 response and display an authentication prompt. This authentication prompt may trick less experienced users into thinking that it is your site which is asking for authentication when in fact the authentication details entered may be submitted to the attacker instead.

This issue only potentially affects XenForo 2.0 users if you previously upgraded from XenForo 1.5. The reason for this is that the affected file will be left on your file system after upgrading unless you have taken steps to manually or automatically clean up the old files. To solve this problem in both XF 1.5 and XF 2.0 we are including a zero-byte file which will overwrite the problematic file.

We recommend that all customers upgrade to the latest version of XF 1.5 or XF 2.0, but if you are unable to do this then you can simply delete the file which resides in the following location: js/videojs/video-js.swf.

As a side note, there is potentially another exploit in some current browser versions which is similar. This involves a URL which points to a resource, such as an image, which returns a 401 response. This is an exploit which is being patched by most browser vendors. It is currently fixed in the latest stable Chrome release, and upcoming versions of Safari and Firefox. If you are concerned by such an exploit, please ensure you inform your users that a) they should be using the latest available version of their preferred browser and b) that login details should only be provided via your site's default login form.

XenForo Importers add-on

We have made an important change to how we will release XenForo importers going forward in this release. Rather than shipping the files with XenForo itself, the importers will be installed as a separate add-on which is downloadable from your Customer area. One reason for this change is so that we can provide more frequent updates to importer code as necessary, without having to wait for the usual XF release cycle.

At present, available importers are limited to vBulletin (versions 3.x, 4.x, 5.x and Blog add-ons) but we are actively working towards the release of more importers in the near future.

XenForo 2.1

We are making good progress toward XenForo 2.1 and although we don't have anything to show you, just yet, we do have plans to increase the minimum requirements in XenForo 2.1 so we can bring you some pretty cool changes ;) You may remember that in XenForo 2.0.2 we started collecting some server stats and this has actually been immensely useful so thank you to everyone who agreed to submit that information. We wanted to share some statistics based on PHP version usage:
  • PHP 5.4: 6%
  • PHP 5.5: 4%
  • PHP 5.6: 34%
  • PHP 7.0: 23%
  • PHP 7.1: 23%
  • PHP 7.2: 10%
Possibly not much of a surprise here, but this tells us that 90% of our customers currently running XF 2.0.2 are using a version of PHP which is version 5.6 and above. It is therefore the case that XenForo 2.1 will require a minimum of PHP 5.6. If you're currently in the 10% who are currently using PHP 5.4 or PHP 5.5 then we strongly recommend that you upgrade as soon as possible. We do, of course, recommend that you use PHP 7.2+ where practicable. If you are planning to move to XenForo 2.1 from XenForo 1.5 eventually then please include the PHP version requirement in your upgrade plans.

If you are running a version below PHP 5.6, you will receive a warning when installing or upgrading XenForo.

We have some pretty big plans for XenForo 2.1 and we are working hard towards it so expect some exciting updates on that in the coming months.

Some of the other changes in 2.0.3 include:
  • Ensure that development output is always removed as appropriate when an entity is deleted.
  • In the vBulletin importer, handle blog tables not existing.
  • Do not attempt to notify users of conversation messages if they do not have an email address.
  • Add missing phrase when a log entry cannot be found.
  • When reverting a phrase in the translation system, and it has no parent, hide it to avoid template errors.
  • Improve error output for development JS.
  • Ensure a user "location" link always opens in a new window.
  • Catch a "duplicate key" race condition when watching a thread.
  • Display question in poll widget by default if no other title is entered.
  • Re-count number of unread conversations when opening the conversations pop up.
  • Deprecate the use of jQuery.proxy in favour of XF.proxy.
  • Update LightGallery to latest version.
  • Ensure the add-on cache is updated on XF upgrade to ensure it reflects the correct XF version.
  • Ensure a consistent position for the "Edit avatar" link overlay.
  • When filtering the user list, pass the specified order and direction in.
  • Adjust sub node list to inline-block to resolve some spacing issues on some browsers.
  • Improve validation of incoming PayPal IPN calls.
  • Adjust moderator logging when copying/moving posts.
  • Process additional attributes on xf:datarow tags.
  • Ensure permissions and privacy are respected on the server side when posting profile posts.
  • Only attempt to render alerts if the alert handler is available.
  • Re-implement the ability to "Show older items" when viewing a date limited thread list.
  • Update the styles last modified date on language changes to ensure certain values which affect CSS take effect.
  • In some cases, a Solve Media CAPTCHA challenge would erroneously pass if the HTML was tampered with (such as via a spam bot).
  • Re-implement quick "Ban / Discourage IP" links on the list of a user's IP addresses in the Admin CP.
  • Add a message to the notice list in the Admin CP if we detect some notices may contain invalid criteria, such as templates which do not exist, or PHP classes/methods that cannot be found.
  • Ensure advanced colour functions in property values are supported when styling Stripe's secure forms and a site's "theme color".
  • Add new bb_code_processor_action_map and bb_code_renderer_map code events.
  • Ensure conversation message links redirect to the correct page in a conversation.
  • Ensure a user is redirected to the forum list properly if they click login/register and they are already logged in.
  • Improve compatibility with other JavaScript libraries in the two_step_totp template.
  • Re-implement escapeClose option on overlay handlers.
  • When CodeMirror is initialised, ensure it is loaded with any specified mode automatically.
  • If a payment profile does not have a display title, display the payment profile title instead of the payment provider title.
  • In the vBulletin importer, convert [THREAD] and [POST] BB codes to BB codes. [*]In the vBulletin impo...'https://xenforo.com/customers']customer area.

    Note: add-ons, customizations and styles made for XenForo 1.x are not compatible with XenForo 2. If your site relies upon these for essential functionality, ensure that a XenForo 2 version exists before you start to upgrade. We strongly recommend you make a backup before attempting an upgrade.

    Current Requirements

    Please note that XenForo 2.0 has higher system requirements than XenForo 1.x. We will be updating the requirements test script in the near future to reflect this. The following are minimum requirements:
    • PHP 5.4 or newer (PHP 7.2 recommended)
    • MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
    • All of the official add-ons require XenForo 2.0.
    • Enhanced Search requires at least Elasticsearch 2.0.
    Installation and Upgrade Instructions for XenForo 2.0

    Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual.

    Note that when upgrading from XenForo 1.x, all add-ons will be disabled and style customizations will not be maintained. New versions of add-ons will need to be installed and customizations will need to be redone. We strongly recommended that you make a backup before attempting an upgrade. Once upgraded, you will not be able to downgrade without restoring from a backup.

    Installation, Upgrading and Configuration of Add-ons

    XenForo 2 add-ons have a standard structure so installation and upgrade processes will generally be the same for all add-ons. General add-on installation and upgrade instructions can be found in the XenForo 2 Manual.

    Within the manual, there are specific pages discussing how each add-on can be used and configured.
 
Status
Not open for further replies.