XenForo 2.0.3 Released - Includes Security Fix

Users who viewed this discussion (Total:0)


XenForo 2.0.3 is now available for all licensed customers to download. We recommend that all customers running previous versions of XenForo 2.0 upgrade to this release to benefit from increased stability.

Download XenForo 2.0.3

Most importantly, this release includes a fix for a security issue that was reported to us by Julien from RCE Security. The issue was not found within XF code itself, but instead a file which we previously included with XF 1.5.x within the Video JS library. The issue is known as an "authentication phishing" exploit which involves posting a specially crafted URL pointed at the Video JS SWF file. This specially crafted URL, when clicked on or embedded in a page, can include another URL which returns a 401 response and display an authentication prompt. This authentication prompt may trick less experienced users into thinking that it is your site which is asking for authentication when in fact the authentication details entered may be submitted to the attacker instead.

This issue only potentially affects XenForo 2.0 users if you previously upgraded from XenForo 1.5. The reason for this is that the affected file will be left on your file system after upgrading unless you have taken steps to manually or automatically clean up the old files. To solve this problem in both XF 1.5 and XF 2.0 we are including a zero-byte file which will overwrite the problematic file.

We recommend that all customers upgrade to the latest version of XF 1.5 or XF 2.0, but if you are unable to do this then you can simply delete the file which resides in the following location: js/videojs/video-js.swf.

As a side note, there is potentially another exploit in some current browser versions which is similar. This involves a URL which points to a resource, such as an image, which returns a 401 response. This is an exploit which is being patched by most browser vendors. It is currently fixed in the latest stable Chrome release, and upcoming versions of Safari and Firefox. If you are concerned by such an exploit, please ensure you inform your users that a) they should be using the latest available version of their preferred browser and b) that login details should only be provided via your site's default login form.

XenForo Importers add-on

We have made an important change to how we will release XenForo importers going forward in this release. Rather than shipping the files with XenForo itself, the importers will be installed as a separate add-on which is downloadable from your Customer area. One reason for this change is so that we can provide more frequent updates to importer code as necessary, without having to wait for the usual XF release cycle.

At present, available importers are limited to vBulletin (versions 3.x, 4.x, 5.x and Blog add-ons) but we are actively working towards the release of more importers in the near future.

XenForo 2.1

We are making good progress toward XenForo 2.1 and although we don't have anything to show you, just yet, we do have plans to increase the minimum requirements in XenForo 2.1 so we can bring you some pretty cool changes ;) You may remember that in XenForo 2.0.2 we started collecting some server stats and this has actually been immensely useful so thank you to everyone who agreed to submit that information. We wanted to share some statistics based on PHP version usage:
  • PHP 5.4: 6%
  • PHP 5.5: 4%
  • PHP 5.6: 34%
  • PHP 7.0: 23%
  • PHP 7.1: 23%
  • PHP 7.2: 10%
Possibly not much of a surprise here, but this tells us that 90% of our customers currently running XF 2.0.2 are using a version of PHP which is version 5.6 and above. It is therefore the case that XenForo 2.1 will require a minimum of PHP 5.6. If you're currently in the 10% who are currently using PHP 5.4 or PHP 5.5 then we strongly recommend that you upgrade as soon as possible. We do, of course, recommend that you use PHP 7.2+ where practicable. If you are planning to move to XenForo 2.1 from XenForo 1.5 eventually then please include the PHP version requirement in your upgrade plans.

If you are running a version below PHP 5.6, you will receive a warning when installing or upgrading XenForo.

We have some pretty big plans for XenForo 2.1 and we are working hard towards it so expect some exciting updates on that in the coming months.

Some of the other changes in 2.0.3 include: