Patch files for 1.2 and 1.3 versions

[SneakyDave]

I have 3 expired XenForo licenses, which obviously means that I can't download new version of XenForo, and can't submit support tickets for the licenses I have.

With the recent security update, are there patch files available for my installations, or do I need to renew my licenses for those sites in order to get the latest patched versions?

Also, is this security vulnerability related to the recent Wordpress vulnerability found on PHP's XML processing?

Please move to Questions and Support if this isn't the correct forum.

 

[Mike]

Strictly speaking, you would need an active license to download the fixed version. It's sort of the other edge of the sword with getting feature updates without an additional payment.

That said, it's not really our intention to leave people out and we have done what we can. (Hence, anyone with access to 1.2.5--released in February--can download the the patch for 1.2. Similarly, if you can download 1.3.4, you can download 1.3.5. This is an unusually large patch and it does affect a large number of files (including several new files) so it's not really feasible to release a basic patch as a zip. I will look at generating a usable unified diff if you're comfortable applying that.

It's not "related" to the recent Wordpress issue, but it is similar in concept. (I suspect you'll find a lot of PHP apps are vulnerable as PHP's setup makes this a major pain to workaround.)

 

[SneakyDave]

Thanks, the only versions I can download are 1.3.1 for 2 licenses, and 1.2.4 for another one, so I'm just unlucky in when my licenses expired?

I was going to wait for 1.4 to be released to renew them, but I suppose there's no time like the present.

 

[Daniel Hood]

@Mike, I don't mean to hijack this thread but could you elaborate on what is 'insecure' with php/xml? Was it the rendering or the importing (feed reader) or is it the entire php xml parser?

 

[Liam W]

I was wondering this myself...

One of my licences expired between the release of 1.3.2 and 1.3.3...

I'll just leave it until I feel like renewing.

 

[tyteen4a03]

@Mike, I don't mean to hijack this thread but could you elaborate on what is 'insecure' with php/xml? Was it the rendering or the importing (feed reader) or is it the entire php xml parser?

The idea is similar to the Billion Laughs (or ZIP bomb, what have you) attack, except instead of defining nested elements you define one really big element then repeat that really big element by a really big amount.

In SGML (this includes HTML and XML), you can define your own tags to be parsed by the SGML parser (this is why you see <!DOCTYPE w3.org/something.dtd> at the start of the HTML document); this is the backbone of HTML and is a very useful feature in XML.

To define one, you use:

<?xml version="1.0" standalone="yes" ?>
<!DOCTYPE author [
<!ELEMENT author (#PCDATA)>
<!ENTITY js "Jo Smith">
]>
<author>&js;</author>

As you can probably already guess, this defines an <author> tag and &js; will be replaced by "Jo Smith", producing the final output of <author>Jo Smith</author>. Now if we do this:

<?xml version="1.0"?>
<!DOCTYPE malicious [
<!ELEMENT malicious (#PCDATA)>
<!ENTITY x "InsertAFewHundredBytesToAFewKilobyteOfDataHere">
]>
<malicious>&x;&x;&x;&x;&x;&x;&x;&x;&x;...</malicious>

The XML parser will spend all its memory trying to get the final tag, which will exhaust the 128MB of memory XenForo allocates by default very quickly and use up a lot of CPU cycles - this is how a machine is brought down.
To fix this, there are a few approaches:
1. Validate the XML by schema using schemaValidate: Requires definition of all XML documents. Both Atom and RSS have one; XF may need some additional code to make this happen without breaking addons.
2. Stop execution if entity definitions are detected
3. Ignore entities definition when parsing: Will mean that support for PHP 5.2.4 - 5.2.11 will need to be dropped since the relevant function is only introduced in 5.2.11

XenForo chose to employ ZF1's (undocumented) Zend_XML_Security class, which does item 2 and 3.

Additionally, there is also a related exploit that can power XSS attacks, meaning an attacker can display arbitary JS or even PHP code. This is not directly related to this attack and I'm not sure how much XenForo (or ZF, since the Reader code is largely ZF's code) does to prevent rogue XML data.

 

[Mike]

I have attached a unified diff patch to this post. It is based on the 1.2 fix and applies cleaning to 1.2.5. I have applied it against 1.2.0 and 1.3.0 and it works without issue (just some line offsets).

It generally works against 1.1.5 as well, except there are some files changed that don't exist in 1.1.5. These files read from trusted XML files that are part of the XenForo download, so the patch should still be secure. Regardless, I would recommend upgrading if possible.

For reference, the patch can be test applied via the command line like:

patch -p1 --dry-run -d forum < xf-xml-patch.diff

Assuming that you are 1 directory above your "forum" directory and the patch file has been uploaded there. If running this does not indicate any failures, you can remove the "--dry-run" option to actually apply the patch.

(This patch does also include a PHP 5.6 compatibility fix that was included as part of the 1.2.6 release.)

 

[tyteen4a03]

@Mike , because of reasons listed in #6 you also need to raise the minimum PHP version to 5.2.11.

(This vulnerability dates back to 2004 and even Zend got hit in 2012 which caused them to raise the requirements in ZF1.12.5; I am really surprised that XenFor never checked for it. Sorry guys, the Golden Record has been broken.)

@Daniel Hood , I have written a more through explanation (mind you, it may not be 100% correct but it should be enough for now)

 

[Liam W]

I have attached a unified diff patch to this post. It is based on the 1.2 fix and applies cleaning to 1.2.5. I have applied it against 1.2.0 and 1.3.0 and it works without issue (just some line offsets).

It generally works against 1.1.5 as well, except there are some files changed that don't exist in 1.1.5. These files read from trusted XML files that are part of the XenForo download, so the patch should still be secure. Regardless, I would recommend upgrading if possible.

For reference, the patch can be test applied via the command line like:

patch -p1 --dry-run -d forum < xf-xml-patch.diff

Assuming that you are 1 directory above your "forum" directory and the patch file has been uploaded there. If running this does not indicate any failures, you can remove the "--dry-run" option to actually apply the patch.

(This patch does also include a PHP 5.6 compatibility fix that was included as part of the 1.2.6 release.)

Thanks, that appears to have worked without error. So far...

 

[Mike]

@Mike , because of reasons listed in #6 you also need to raise the minimum PHP version to 5.2.11.

Good point. I think it's the only way to truly prevent the issue as otherwise the entities are expanded at parse time. I will make a note in the announcements. (Annoying how a function like this only appears in a release like that.)

 

[tyteen4a03]

Good point. I think it's the only way to truly prevent the issue as otherwise the entities are expanded at parse time. I will make a note in the announcements. (Annoying how a function like this only appears in a release like that.)

Welcome to PHP

 

[xml]

I have attached a unified diff patch to this post. It is based on the 1.2 fix and applies cleaning to 1.2.5. I have applied it against 1.2.0 and 1.3.0 and it works without issue (just some line offsets).

It generally works against 1.1.5 as well, except there are some files changed that don't exist in 1.1.5. These files read from trusted XML files that are part of the XenForo download, so the patch should still be secure. Regardless, I would recommend upgrading if possible.

For reference, the patch can be test applied via the command line like:

patch -p1 --dry-run -d forum < xf-xml-patch.diff

Assuming that you are 1 directory above your "forum" directory and the patch file has been uploaded there. If running this does not indicate any failures, you can remove the "--dry-run" option to actually apply the patch.

(This patch does also include a PHP 5.6 compatibility fix that was included as part of the 1.2.6 release.)

Hello Mike

applying the patch xf-xml-patch.diff via the command line is very easy, took 1 second and there was no error messages for my test forum 1.2.5, But you still prefere and recommend upgrading. Why? what are you worried about applying the patch via the command line?

 

[Paul B]

Not everyone has the ability or access to do that.

 

[Mike]

Or to guarantee that the patch applies cleanly. Applying a patch will also show that files contain unexpected contents.

 

[xml]

Or to guarantee that the patch applies cleanly. Applying a patch will also show that files contain unexpected contents.

for my situation I can not upgrade any time soon (long story) But I am the only administrator and I dont import RSS feeds from anywhere, is my forum still at risk? can you do more tests on the batch untill you are sure it is 100% efficient?

 

[pegasus]

I think that if you don't import RSS feeds, then this vulnerability can only be exploited if a malicious "coder" tricks you into installing an add-on that exploits it.

It is also possible if you have any public-facing "post-back" scripts, like a PayPal IPN parser that expects XML input (but PayPal's postback message is plain-text so likely any PayPal-only script is not vulnerable). Any kinds of scripts like these would be third-party/add-ons.

 

[xml]

Hello pegasus

I have no third-party scripts. I have just 4 add-ons installed long time ago from well-known coders here in xenforo and I have NO intention to install any additional add0-ons.

 

[iTuN3r]

So if you don't use much add-on's or import rss feeds etc you should be fine ?

 

[Mike]

for my situation I can not upgrade any time soon (long story) But I am the only administrator and I dont import RSS feeds from anywhere, is my forum still at risk? can you do more tests on the batch untill you are sure it is 100% efficient?

The official method is always going to be to upgrade. The patch file is generated from a diff between 1.2.5 and 1.2.6 so it's not like the code is different -- it's just important that you ensure that the patch has fully applied and that's not something that we can verify for you. A full upgrade would allow that verification.

The issue resolves around anywhere that processes XML that a potentially untrusted user can control. By default, XenForo only exposes this through the admin control panel (add-ons, languages, styles, smilies, etc) or through RSS feed importing. Add-ons may expose this in other ways; if they do, it's likely they're vulnerable. If that's a sufficient mitigation for you, obviously it's your choice whether you want to upgrade (certainly, if someone got access to the control panel, they could do plenty of damage without a vulnerability). We would still recommend you upgrade to be sure.

 

[Liam W]

Question, Mike, what should add-on authors do to ensure addons aren't vulnerable, if they use XML files?

Liam