XenForo 2.1.15, 2.2.16 Released (Security Fixes)

Releases XenForo 2.1.15, 2.2.16 Released (Security Fixes) 2.2.16 Patch 1

Register & Get access to index
Overview History Discussion
Compatible XF Versions
2.3
Visible Branding
No
1717683507360.png

Security Fix​

Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16.

If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.

If you are running a pre-release version of XenForo 2.3, you should follow the instructions in the announcement thread for the XenForo 2.3.0 Release Candidate 1 release.

The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.

XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually to any version. See below for further details.

Applying a patch manually​

To patch this issue manually you will need to edit one file manually and upload some changed files.

Step 1: Edit src/XF.php

Find the following line in this file:
PHP: 
$parts = explode(':', $string, 3);
Replace that line with the following:
PHP: 
        if (!$string) return '';

        if (strpos($string, ':') === false)
        {
            $pattern = '#^\\\?'
                . str_replace('%s', '([A-Za-z0-9_\\\]+)', preg_quote(ltrim($formatter, '\\')))
                . '$#';
            if (!preg_match($pattern, $string, $matches))
            {
                throw new \InvalidArgumentException(sprintf(
                    'Class %s does not match formatter pattern %s',
                    $string,
                    $formatter
                ));
            }

            // already a class
            return $string;
        }

        $parts = explode(':', $string, 3);

Note: This file cannot be patched automatically as it contains install-specific data. You must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue.

Step 2: Upload XF files​

  • Download either 2115-patch.zip (for XenForo 2.1) or 2216-patch.zip (for XenForo 2.2).
  • Extract the .zip file
  • Upload the contents of the upload directory to the root of your XenForo installation

Step 3: Upload XFMG files (for XenForo Media Gallery customers only)​

  • Download either xfmg219-patch.zip (for XenForo Media Gallery 2.1) or xfmg226-patch.zip (for XenForo Media Gallery 2.2).
  • Extract the .zip file
  • Upload the contents of the upload directory to the root of your XenForo installation
  • Like
Reactions: golgotte31
Author
XenForo
Views
First release
Last update
Rating
0.00 star(s) 0 ratings
Join the discussion More information

More resources from XenForo

Share this resource

Back
Top Bottom