XenForo 1.2.6 Released (Security Fix)

Today, we are releasing XenForo 1.2.6 to address a potential security vulnerability that has been identified. We recommend that all customers running XenForo 1.2 or earlier upgrade to 1.2.6 as soon as possible. This fix changes a large number of files so a full upgrade is required.

Please note that in order to resolve this security issue, XenForo's PHP requirements needed to increase slightly. This release now requires PHP 5.2.11 or higher.

The security issue relates to XML processing. A specially crafted XML file can be used to enact a denial of service attack or potentially read files from the the file system. This type of vulnerability has been identified in many other applications. In XenForo, the risk is mitigated as only authenticated administrators may trigger the XML processing routines; website visitors cannot directly exploit this issue. However, if you import RSS feeds from elsewhere, these could potentially be modified to trigger the issue. As such, we strongly recommend that you upgrade to a patched version as soon as possible.

All customers with access to download 1.2.5 will have access to download 1.2.6. Customers running 1.3 or 1.4 should upgrade to 1.3.5 or 1.4.0 Beta 2 respectively. (For advanced users, there is a unified diff that applies the security patch.)

Installation and Upgrade Instructions

Full details for how to install and upgrade XenForo can be found in the XenForo Manual.