XenForo 2.1.15, 2.2.16 Released (Security Fixes) 2.2.16 Patch 1

Скачать XenForo 2.1.15, 2.2.16 Released (Security Fixes) 2.2.16 Patch 1
Недавно искали:

Itnull

Команда форума
Администратор
Регистрация
22.05.13
Сообщения
25.548
Реакции
9.503
Веб-сайт
itnull.me
  • Автор темы
  • Администратор
  • Модер.
  • Команда форума
  • #1

Security Fix​

Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16.

If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.

If you are running a pre-release version of XenForo 2.3, you should follow the instructions in the announcement thread for the XenForo 2.3.0 Release Candidate 1 release.

The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.

XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually to any version. See below for further details.


Applying a patch manually​

To patch this issue manually you will need to edit one file manually and upload some changed files.

Step 1: Edit src/XF.php​

Find the following line in this file:
PHP:
$parts = explode(':', $string, 3);

Replace that line with the following:
PHP:
if (!$string) return '';

        if (strpos($string, ':') === false)
        {
            $pattern = '#^\\\?'
                . str_replace('%s', '([A-Za-z0-9_\\\]+)', preg_quote(ltrim($formatter, '\\')))
                . '$#';
            if (!preg_match($pattern, $string, $matches))
            {
                throw new \InvalidArgumentException(sprintf(
                    'Class %s does not match formatter pattern %s',
                    $string,
                    $formatter
                ));
            }

            // already a class
            return $string;
        }

        $parts = explode(':', $string, 3);

Note: This file cannot be patched automatically as it contains install-specific data. You must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue.


Step 2: Upload XF files​

  • Download either 2115-patch.zip (for XenForo 2.1) or 2216-patch.zip (for XenForo 2.2).
  • Extract the .zip file
  • Upload the contents of the upload directory to the root of your XenForo installation

Step 3: Upload XFMG files (for XenForo Media Gallery customers only)​

  • Download either xfmg219-patch.zip (for XenForo Media Gallery 2.1) or xfmg226-patch.zip (for XenForo Media Gallery 2.2).
  • Extract the .zip file
  • Upload the contents of the upload directory to the root of your XenForo installation
 

Похожие темы

Ответы
0
Просмотры
179
Ответы
3
Просмотры
254
Ответы
0
Просмотры
192
Назад
Сверху Снизу