Not signed in (Sign In)

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

Help keep Vanilla free:
Welcome Guest!
Want to take part in these discussions? If you have an account, sign in now.
If you don't have an account, apply for one now.

Vanilla: [Sticky] Vanilla 1.1.4 Released

Bottom of Page

1 to 50 of 86

  1. <
  2. 1
  3. 2
  4. >
    •  
      CommentAuthorMark
    • CommentTimeOct 21st 2007 edited
     # 1
    Vanilla 1.1.4 fixes a serious SQL injection vulnerability.

    Once again, I must mention that I did almost no work in this release - it was entirely (and quickly) handled by the folks at the bug tracker and here on the community forum. And again, I have to thank Damien Lebrun (aka Dinoboff) for taking the torch and keeping me informed about everything that has been going on.

    For more information about the vulnerability:

    The original report
    Bug tracker issue

    Upgrading instructions:

    http://lussumo.com/upgrade
    •  
      CommentAuthorDinoboff
    • CommentTimeOct 21st 2007 edited
     # 2
    Thanks to Feras for reporting the exploit
    And to Raz0r (InATeam) for finding the vulnerability.

    ps: Sorry for the people who have already downloaded the package, there were some unnecessary files in it... I tried to sneak in some of my extensions.
    • CommentAuthormojo
    • CommentTimeOct 21st 2007
     # 3
    1.1.3 to 1.1.4 went just fine ;)

    Thanx
    • CommentAuthordan39
    • CommentTimeOct 21st 2007
     # 4
    I really like that the JS files are minified now!!

    However, if would be incredibly helpful if the unpacked versions of each JS file were included inside a folder within the JS directory just for our reference.

    Would it be possible to get that included into the 1.1.4 master download?
  5.  # 5
    It would be nice if we the extension developers have some help with security. we are not pro programmres and might have tons of vulnerability
    •  
      CommentAuthorrayk
    • CommentTimeOct 22nd 2007
     # 6
    Urgh.. I have this error when checking for updates :

    Notice: Use of undefined constant APPLICATION_VERSION - assumed 'APPLICATION_VERSION' in /..../dreamgauge.com/forums/themes/settings_update_check_validpostback.php on line 12
    • CommentAuthorFeras
    • CommentTimeOct 22nd 2007
     # 7
    thank you 2 Dinoboff & Mark ...

    and i hope the Arabic Vanilla Released soon ...

    Cheers !
    Feras.B
    •  
      CommentAuthorDinoboff
    • CommentTimeOct 22nd 2007
     # 8
    @rayk, reinstall appg/settings.php and appg/version.php
    •  
      CommentAuthorWanderer
    • CommentTimeOct 22nd 2007
     # 9
    Anyone gone from 1.1.2 straight to 1.1.4 ?

    Posted: Monday, 22 October 2007 at 9:51PM

    •  
      CommentAuthorDinoboff
    • CommentTimeOct 22nd 2007 edited
     # 10
    Mark did it.

    So far, there is only one problem with one of its extensions.
    • CommentAuthorFeras
    • CommentTimeOct 22nd 2007
     # 11
    Dino ... when i install the 1.1.4 and check the Updates & Reminders

    #
    Vanilla APPLICATION_VERSION
    Version 1.1.4 is available. Download

    and i'v been download the lastest version ..! so is there anyfiles should to reinstall again ???

    Cheers !
    Feras.B
    •  
      CommentAuthorDinoboff
    • CommentTimeOct 22nd 2007
     # 12
    Have you tried turning it off and on again?
    •  
      CommentAuthorWanderer
    • CommentTimeOct 22nd 2007
     # 13
    Dinoboff: So far, there is only one problem with one of its extensions.
    And that extension is?

    Posted: Monday, 22 October 2007 at 10:30PM

    •  
      CommentAuthorDinoboff
    • CommentTimeOct 22nd 2007 edited
     # 14
    @Feras: Try to reinstall appg/settings.php and appg/version.php
    •  
      CommentAuthorDinoboff
    • CommentTimeOct 22nd 2007 edited
     # 15
    @Wanderer: the Addon extension on this forum (account page), but I can't understand how the upgrade could have done that.
    • CommentAuthorFeras
    • CommentTimeOct 22nd 2007
     # 16
    i Did !! and i Re/install appg/version and settings .php !! same thing ...
    •  
      CommentAuthorDinoboff
    • CommentTimeOct 22nd 2007
     # 17
    I can't reproduce the error. Does someone else has this problem?
    •  
      CommentAuthorjimw
    • CommentTimeOct 22nd 2007
     # 18
    I get a similar APPLICATION_VERSION error:
    Notice: Use of undefined constant APPLICATION_VERSION - assumed 'APPLICATION_VERSION' in D:\Program Files\xampp\htdocs\Vanilla.1\extensions\InviteOnlySystem\default.php on line 28
    •  
      CommentAuthorDinoboff
    • CommentTimeOct 22nd 2007
     # 19
    Try to reinstall appg/settings.php and appg/version.php
    •  
      CommentAuthorjimw
    • CommentTimeOct 22nd 2007 edited
     # 20
    There is no definition for APPLICATION_VERSION in the version file. Should we just add one?
    That fixed it.
    •  
      CommentAuthorDinoboff
    • CommentTimeOct 22nd 2007
     # 21
    It should look like define('APPLICATION', 'Vanilla');
    define('FRAMEWORK_VERSION', '1.1.3');
    define('PEOPLE_VERSION', '1.1.3');
    define('APPLICATION_VERSION', '1.1.4');
    •  
      CommentAuthorDinoboff
    • CommentTimeOct 22nd 2007
     # 22
    The only file necessary to fix the vulnerabilities are /ajax/sortcategories.php
    /ajax/sortroles.php
    /languages/English/definitions.php
    /themes/settings_category_list.php
    /themes/settings_role_list.php

    If you want to use the minify and lighter js file replace /js/*.

    The other files are related to the version numbers.
    • CommentAuthorrafcg
    • CommentTimeOct 22nd 2007
     # 23
    Dinoboff Thanks for answeres in General Category!!
    I have still problem after update (and overwriting files)
    Now all looks ok, but i cant delete posts...(it looks like a is deleting but after few seconds nothing is change...post still is in category.)
    Also i can't switch on/off extensions. When i try, this comunicat is comming: "There was a problem authenticating your post information"

    Raf.
    • CommentAuthordan39
    • CommentTimeOct 22nd 2007
     # 24
    Ah.. So I'll assume that means no changes were made to the JS other than minification.
  25.  # 25
    mine says this define('FRAMEWORK_VERSION', '1.1.4');

    So it should be APPLICATION_VERSION
    • CommentAuthorFeras
    • CommentTimeOct 22nd 2007 edited
     # 26
    guys

    i Saw Error 2 in mark profile !!

    http://lussumo.com/community/account/1/

    see his Vanilla Add-ons by this user

    A fatal, non-recoverable error has occurred

    its seems the 1.1.4 had this Error 2 ...

    ===================================


    Myschizo

    define('FRAMEWORK_VERSION', '1.1.4');

    so it will work when we add it ?? and what the files .php we should add it to ?

    Cheers !
    •  
      CommentAuthorDinoboff
    • CommentTimeOct 22nd 2007 edited
     # 27
    fixed
    •  
      CommentAuthorMark
    • CommentTimeOct 22nd 2007 edited
     # 28
    Dammit - I can't do an upload for another six hours.
    •  
      CommentAuthorMark
    • CommentTimeOct 22nd 2007
     # 29
    Okay - The new package has been uploaded. I'm fixing the addons problem now...
    •  
      CommentAuthorMark
    • CommentTimeOct 22nd 2007
     # 30
    Addons problem fixed as well - thanks!
    •  
      CommentAuthorTomTester
    • CommentTimeOct 22nd 2007 edited
     # 31
    As per my previous post (sNews Hax0rs, Vanilla & Security (XSS/Exploits protection)) it's important to note that these guys use echo "dork: \"is a product of Lussumo\"\n";
    to identify vulnerable sites using google (search for pages containing the 'dork' code).

    Of course there are other 'identifiers' on a page to use as a 'Dork', but a GRAPHICAL version indicator that is not so easily indexed by search engines can be useful.
    If only because FAILED attacks will result in more warnings for the rest of the community.
    • CommentAuthordan39
    • CommentTimeOct 22nd 2007 edited
     # 32
    Just curious, but isn't the "X-Powered-By: Lussumo Vanilla 1.1.x" label that was recently added to Vanilla headers a security vulnerability as well? Is there any reason not to remove it??
    •  
      CommentAuthorWallPhone
    • CommentTimeOct 22nd 2007
     # 33
    The X-Powered-By won't itself appear in search engine results, however, if someone found a Vanilla by searching for, say CommentAuthor CommentTime, they could then grab any page's headers to get the version number.

    Remove it if you want, (it won't break anything) but security by obscurity is not really security at all. In my experience, exploits like this are just run by dumb bots that will try exploits years old for software that isn't even running on your site, if you do so much as appear in a search for the 'dork' keywords.

    At one time, my Linux/Apache server got the same Microsoft/IIS exploit run against it every day for a full month. I still get one about every week. Something as simple as checking the headers would make it clear that they're wasting their time, but it's just a dumb script running against links in a search results page.
    •  
      CommentAuthorpbear
    • CommentTimeOct 24th 2007
     # 34
    Not a deal-breaker by any means, but in people.css, lines 19-26:

    body, div, input, textarea, select {
    font-family: Trebuchet MS, Verdana, Tahoma, Arial;
    font-size: 12px;
    color: #062971;
    }
    input {
    font-family: arial;
    }
    Trebuchet MS needs quotes; the way vanilla.css does it is below. Capital "Arial" is just a nitpick. :) ...

    body, div, input, textarea, select {
    font-family:'Trebuchet MS', 'Verdana', 'Tahoma', 'Arial', sans-serif;
    font-size: 12px;
    color: #062971;
    }
    input {
    font-family: Arial;
    }
    • CommentAuthorDavidK
    • CommentTimeOct 26th 2007
     # 35
    Are the older versions of Vanilla still available?

    I have modified some of the files and want to diff against the older version so that I know how to move my changes into 1.1.4 and safely upgrade.

    I'm looking for 1.1.2 but a link to all older versions would be great.
    •  
      CommentAuthorWallPhone
    • CommentTimeOct 26th 2007
     # 36
    • CommentAuthorDavidK
    • CommentTimeOct 26th 2007
     # 37
    Thanks muchly.
    •  
      CommentAuthorThaRiddla
    • CommentTimeOct 26th 2007
     # 38
    Is it necessary to go from 1.1.2 --> 1.1.3 --> 1.1.4 ?
    are there any database or otherwise necessary changes in that process?

    If possible, I'd like to go straight to 1.1.4
    •  
      CommentAuthorDinoboff
    • CommentTimeOct 26th 2007 edited
     # 39
    No Database changes, you can update directly to 1.1.4.
    •  
      CommentAuthorThaRiddla
    • CommentTimeOct 26th 2007
     # 40
    thank you.
    •  
      CommentAuthorSimba Cub
    • CommentTimeOct 26th 2007
     # 41
    Works great, thankyou!
    • CommentAuthorRatpachy
    • CommentTimeNov 5th 2007
     # 42
    I didn't know where to post this but I am going to do it here for help.
    We downloaded the 1.1.4 yesterday. we went live with just that basic with no extensions.
    I was adding extensions last night. Simple things like stats and such. I added quite afew other things, but unchecked them when I started getting errors.
    The major problem right now is vanilla defaulting to html and i can't get it to default to bbcode.
    Can anyone help me?
    •  
      CommentAuthorDinoboff
    • CommentTimeNov 5th 2007
     # 43
    You should open a new thread or ask for help in bbcode or html formatter discussions
    http://lussumo.com/addons/index.php?PostBackAction=AddOn&AddOnID=33
    http://lussumo.com/addons/index.php?PostBackAction=AddOn&AddOnID=237

    or the DefaultFormatter discussion if you are using this extension
    http://lussumo.com/addons/index.php?PostBackAction=AddOn&AddOnID=332
    • CommentAuthorserafino
    • CommentTimeNov 8th 2007 edited
     # 44
    Hi Guys,

    How do I update from 1.1.2 to 1.1.4? What files do I have to change or replace? I'm a little confused :-(

    thanks!
    •  
      CommentAuthorDinoboff
    • CommentTimeNov 8th 2007
     # 45
    • CommentAuthorserafino
    • CommentTimeNov 8th 2007
     # 46
    Thanks Dinoboff,

    But I'm confused by the two steps. 1.1.2 to 1.1.3 + 1.1.3 to 1.1.4.

    Do I need to download 1.1.3 as well?
    •  
      CommentAuthorDinoboff
    • CommentTimeNov 8th 2007
     # 47
    just download 1.1.4 and upload all thes files or just the listed ones. There is no settings or BD changes. You just need to update the listed files.
    • CommentAuthorserafino
    • CommentTimeNov 8th 2007
     # 48
    Thanks. So I can overwrite all of the existing 1.1.2 files? Or safe to upload all of the listed ones (by which I assume you mean those listed in the 1.1.2 to 1.1.3 upgrade + the 1.1.3 to 1.1.4 upgrade.
    •  
      CommentAuthorWanderer
    • CommentTimeNov 8th 2007
     # 49
    Serafino, I have the same confusion as you which is what's holding me back from upgrading.
    I have a lot of modifications made to existing files and I don't have a day and a half to spare if something goes wrong.

    Just thought I'd mention that in case you were feeling that your questions are stupid!
    •  
      CommentAuthorDinoboff
    • CommentTimeNov 8th 2007 edited
     # 50
    Do a copy of your installation first.

    After it depends of what you are using. If you are using ftp, it is safer to only upload the listed ones.

1 to 50 of 86

  1. <
  2. 1
  3. 2
  4. >