XenForo 2.0.3 Released - Includes Security Fix

XenForo 2.0.3 is now available for all licensed customers to download. We recommend that all customers running previous versions of XenForo 2.0 upgrade to this release to benefit from increased stability.

Download XenForo 2.0.3

Most importantly, this release includes a fix for a security issue that was reported to us by Julien from RCE Security. The issue was not found within XF code itself, but instead a file which we previously included with XF 1.5.x within the Video JS library. The issue is known as an "authentication phishing" exploit which involves posting a specially crafted URL pointed at the Video JS SWF file. This specially crafted URL, when clicked on or embedded in a page, can include another URL which returns a 401 response and display an authentication prompt. This authentication prompt may trick less experienced users into thinking that it is your site which is asking for authentication when in fact the authentication details entered may be submitted to the attacker instead.

This issue only potentially affects XenForo 2.0 users if you previously upgraded from XenForo 1.5. The reason for this is that the affected file will be left on your file system after upgrading unless you have taken steps to manually or automatically clean up the old files. To solve this problem in both XF 1.5 and XF 2.0 we are including a zero-byte file which will overwrite the problematic file.

We recommend that all customers upgrade to the latest version of XF 1.5 or XF 2.0, but if you are unable to do this then you can simply delete the file which resides in the following location: js/videojs/video-js.swf.

As a side note, there is potentially another exploit in some current browser versions which is similar. This involves a URL which points to a resource, such as an image, which returns a 401 response. This is an exploit which is being patched by most browser vendors. It is currently fixed in the latest stable Chrome release, and upcoming versions of Safari and Firefox. If you are concerned by such an exploit, please ensure you inform your users that a) they should be using the latest available version of their preferred browser and b) that login details should only be provided via your site's default login form.

XenForo Importers add-on

We have made an important change to how we will release XenForo importers going forward in this release. Rather than shipping the files with XenForo itself, the importers will be installed as a separate add-on which is downloadable from your Customer area. One reason for this change is so that we can provide more frequent updates to importer code as necessary, without having to wait for the usual XF release cycle.

At present, available importers are limited to vBulletin (versions 3.x, 4.x, 5.x and Blog add-ons) but we are actively working towards the release of more importers in the near future.

XenForo 2.1

We are making good progress toward XenForo 2.1 and although we don't have anything to show you, just yet, we do have plans to increase the minimum requirements in XenForo 2.1 so we can bring you some pretty cool changes ;) You may remember that in XenForo 2.0.2 we started collecting some server stats and this has actually been immensely useful so thank you to everyone who agreed to submit that information. We wanted to share some statistics based on PHP version usage:
  • PHP 5.4: 6%
  • PHP 5.5: 4%
  • PHP 5.6: 34%
  • PHP 7.0: 23%
  • PHP 7.1: 23%
  • PHP 7.2: 10%
Possibly not much of a surprise here, but this tells us that 90% of our customers currently running XF 2.0.2 are using a version of PHP which is version 5.6 and above. It is therefore the case that XenForo 2.1 will require a minimum of PHP 5.6. If you're currently in the 10% who are currently using PHP 5.4 or PHP 5.5 then we strongly recommend that you upgrade as soon as possible. We do, of course, recommend that you use PHP 7.2+ where practicable. If you are planning to move to XenForo 2.1 from XenForo 1.5 eventually then please include the PHP version requirement in your upgrade plans.

If you are running a version below PHP 5.6, you will receive a warning when installing or upgrading XenForo.

We have some pretty big plans for XenForo 2.1 and we are working hard towards it so expect some exciting updates on that in the coming months.

Some of the other changes in 2.0.3 include:
  • Ensure that development output is always removed as appropriate when an entity is deleted.
  • In the vBulletin importer, handle blog tables not existing.
  • Do not attempt to notify users of conversation messages if they do not have an email address.
  • Add missing phrase when a log entry cannot be found.
  • When reverting a phrase in the translation system, and it has no parent, hide it to avoid template errors.
  • Improve error output for development JS.
  • Ensure a user "location" link always opens in a new window.
  • Catch a "duplicate key" race condition when watching a thread.
  • Display question in poll widget by default if no other title is entered.
  • Re-count number of unread conversations when opening the conversations pop up.
  • Deprecate the use of jQuery.proxy in favour of XF.proxy.
  • Update LightGallery to latest version.
  • Ensure the add-on cache is updated on XF upgrade to ensure it reflects the correct XF version.
  • Ensure a consistent position for the "Edit avatar" link overlay.
  • When filtering the user list, pass the specified order and direction in.
  • Adjust sub node list to inline-block to resolve some spacing issues on some browsers.
  • Improve validation of incoming PayPal IPN calls.
  • Adjust moderator logging when copying/moving posts.
  • Process additional attributes on xf:datarow tags.
  • Ensure permissions and privacy are respected on the server side when posting profile posts.
  • Only attempt to render alerts if the alert handler is available.
  • Re-implement the ability to "Show older items" when viewing a date limited thread list.
  • Update the styles last modified date on language changes to ensure certain values which affect CSS take effect.
  • In some cases, a Solve Media CAPTCHA challenge would erroneously pass if the HTML was tampered with (such as via a spam bot).
  • Re-implement quick "Ban / Discourage IP" links on the list of a user's IP addresses in the Admin CP.
  • Add a message to the notice list in the Admin CP if we detect some notices may contain invalid criteria, such as templates which do not exist, or PHP classes/methods that cannot be found.
  • Ensure advanced colour functions in property values are supported when styling Stripe's secure forms and a site's "theme color".
  • Add new bb_code_processor_action_map and bb_code_renderer_map code events.
  • Ensure conversation message links redirect to the correct page in a conversation.
  • Ensure a user is redirected to the forum list properly if they click login/register and they are already logged in.
  • Improve compatibility with other JavaScript libraries in the two_step_totp template.
  • Re-implement escapeClose option on overlay handlers.
  • When CodeMirror is initialised, ensure it is loaded with any specified mode automatically.
  • If a payment profile does not have a display title, display the payment profile title instead of the payment provider title.
  • In the vBulletin importer, convert [THREAD] and [POST] BB codes to [URL] BB codes.
  • In the vBulletin importer, convert [NOPARSE] BB codes to [PLAIN]BB codes.
  • Abort a click handler if the click was issued with a modifier key (Ctrl/Cmd etc.) or anything but a left click. You can opt in to allowing modifier keys/clicks by adding the data-click-allow-modifier="true" attribute.
  • Display the connected account providers on the login/login page.
  • Avoid a regex error when processing some email bounces.
  • Suppress user change logging for user bans when importing.
  • Prevent code editor scrollbars from overlapping the code editor contents.
  • When detecting whether we can retain IDs for a forum import, ensure the correct max thread ID value is checked.
  • Ensure that the user title ladder cache is updated when entries are deleted.
  • Update to CodeMirror 5.35.0.
  • If an empty max height value is in Attachment options, do not attempt to resize the image to 0 height.
  • Ensure the "From name" is displayed correctly in all cases when a user sends an email via the contact form.
  • Import attachments from vBulletin with the correct upload_date.
  • When viewing a user's activity on the member tooltip or their profile, indicate if they are viewing an error page.
  • Properly cache the noticeLastReset value in the registry to avoid unnecessary re-querying.
  • Note that the {email} placeholder is supported in the new user welcome email.
  • Prevent an error when using the silent flag when inserting master phrases.
  • Prevent an error when attempting to delete a payment profile that has no purchasable items assigned yet.
  • Do not show the News feed link in the visitor menu when the news feed is disabled.
  • New getPaymentParams() method in the XF\Payment\AbstractProvider class so the default view/link params can be more easily extended.
  • Fix an issue which prevented the "Warnings" tab from activating on the member profile when the warnings count was clicked.
  • Fix a missing word in the mail_has_been_disabled_warning phrase.
  • Better support for empty string values in the <xf:numberbox> tag.
  • Prevent unselectable styles from being selected in some cases.
  • Add rel="nofollow" to prefix links.
  • Ensure Apple Pay buttons have the correct height.
  • Workaround a flex bug in messages in Internet Explorer 11 that caused unnecessary whitespace below an embedded image.
  • Prevent the Contact service validations from running more than once.
  • Update to Froala 2.7.6.
  • Prevent rich text editor from loading on Android 4 and below unless a modern browser such as Chrome or Firefox are being used.
  • Fix an error if an entity structure primary key is defined as an array with a single element, and a simple un-keyed array is passed in to Finder's whereId and whereIds methods.
  • Security: Disable use of js/videojs/video-js.swf.
  • Skip and log certain Stripe events coming in from Stripe web hooks.
  • Prevent an error when parsing URLs in the smilie import data helper.
  • Prevent prefixes from being lost when moving or copying posts into an existing thread.
  • Try to generically prevent invalid UTF-8 errors during import.
  • When enabling an add-on, check that it still meets requirements.
  • When displaying birthday users in the "Today's birthdays" member stat, increase the "recently active" constraint to 365 days.
  • Fix issue which meant that the style page criteria was incorrectly saved as user criteria. Note: You will need to edit any affected notices to re-apply this criteria.
  • Changes to ensure post titles are imported correctly.
  • Display an appropriate error if you try to start a conversation with yourself.
  • Only attempt to navigate to hash portions of URLs if it represents a valid selector.
  • When importing banned email addresses, ensure the duplicate detection is case insensitive to avoid interrupting the import process.
  • Always allow any user to view a member tooltip, whether the member is a valid user or not.
  • Maximum "Find new" results is now tied to the maximumSearchResults option, rather than being hard coded to 200.
  • Allow connected account logins when the "boardActive" option is disabled.

The following public templates have had changes:
  • account_alerts
  • account_alerts_popup
  • account_visitor_menu
  • app_body.less
  • app_nav.less
  • bb_code_preview
  • code_editor.less
  • conversation_message_macros
  • core.less
  • core_avatar.less
  • core_bbcode.less
  • core_blockmessage.less
  • core_hscroller.less
  • core_labels.less
  • core_tooltip.less
  • editor_base.less
  • forum_filters
  • forum_post_quick_thread
  • forum_view
  • google_analytics
  • helper_action
  • member_macros
  • message.less
  • node_list.less
  • payment_initiate_braintree
  • payment_initiate_stripe
  • post_macros
  • thread_list_macros
  • thread_view
  • two_step_totp
  • widget_members_online
Where necessary, the merge system within the "outdated templates" page should be used to integrate these changes.

As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area.

Note: add-ons, customizations and styles made for XenForo 1.x are not compatible with XenForo 2. If your site relies upon these for essential functionality, ensure that a XenForo 2 version exists before you start to upgrade. We strongly recommend you make a backup before attempting an upgrade.

Current Requirements

Please note that XenForo 2.0 has higher system requirements than XenForo 1.x. We will be updating the requirements test script in the near future to reflect this. The following are minimum requirements:
  • PHP 5.4 or newer (PHP 7.2 recommended)
  • MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
  • All of the official add-ons require XenForo 2.0.
  • Enhanced Search requires at least Elasticsearch 2.0.
Installation and Upgrade Instructions for XenForo 2.0

Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual.

Note that when upgrading from XenForo 1.x, all add-ons will be disabled and style customizations will not be maintained. New versions of add-ons will need to be installed and customizations will need to be redone. We strongly recommended that you make a backup before attempting an upgrade. Once upgraded, you will not be able to downgrade without restoring from a backup.

Installation, Upgrading and Configuration of Add-ons

XenForo 2 add-ons have a standard structure so installation and upgrade processes will generally be the same for all add-ons. General add-on installation and upgrade instructions can be found in the XenForo 2 Manual.

Within the manual, there are specific pages discussing how each add-on can be used and configured.
Top Bottom