XenForo 1.3.5 Released (Security Fix)

Today, we are pleased to release XenForo 1.3.5. This release addresses a security vulnerability that was identified. As such, we recommend that all customers running 1.3 upgrade to 1.3.5 as soon as possible.

Please note that in order to resolve this security issue, XenForo's PHP requirements needed to increase slightly. This release now requires PHP 5.2.11 or higher.

The security issue relates to XML processing. A specially crafted XML file can be used to enact a denial of service attack or potentially read files from the the file system. This type of vulnerability has been identified in many other applications. In XenForo, the risk is mitigated as only authenticated administrators may trigger the XML processing routines; website visitors cannot directly exploit this issue. However, if you import RSS feeds from elsewhere, these could potentially be modified to trigger the issue. As such, we strongly recommend that you upgrade to a patched version as soon as possible.

This release also fixes a number of bugs and issues that were found since the release of 1.3.4. Some of these include:
  • Only enqueue the mail queue trigger once in a request to reduce possibility of deadlocks
  • Fix forum watch alerts not being sent when a thread needs to be manually approved
  • Fix thread prefix selector via Ajax in the admin control panel
  • If a media embed key contains censored text, do not embed the media
  • Fix autolinking in basic text sources where HTML is accidentally used
  • Prevent an error in the phpBB importer when the attachment physical filename is empty/invalid
  • Fix potential error with invalid characters from an imported feed
  • When importing a feed, do not display duplicate author names
  • Remove unnecessary dependency on the discussion preview length option in the multi-quote overlay
  • Missed "not" from the facebook_did_not_provide_email phrase, changing the meaning of the text
  • Hid the "Identities" section of the contact details page if there were no custom fields that went there
  • Added bottom padding to quote text elements to prevent clipping in certain browsers/OSes
  • Fixed full screening videos where the iframe had a max-width/height specified
  • Fixed tabindex on the login form when registration was disabled
  • Hid the message about dragging multi-quote elements around when not supported
See the Resolved Bug Reports forum for further information.

The following templates have had changes:
  • account_contact_details
  • bb_code.css
  • helper_login_form
  • thread_multi_quote_overlay.css
Where necessary, the merge system within the "Outdated Templates" page should be used to integrate these changes.

All customers with active licenses may now download the new version from the customer area.

For advanced users, there is a unified diff that applies the security patch.

More Stable

This release follows our principle that third-point (x.x.X) releases should always be more stable than the preceding version, so for the most part you will not find new features in this release. Major new features will be reserved for second point versions (x.X.x).

Installation and Upgrade Instructions

Full details for how to install and upgrade XenForo can be found in the XenForo Manual.