XenForo 2.1.15 Patch 1, 2.2.16 Patch 2 and XenForo Media Gallery 2.1.9, 2.2.6 Released (Includes Security Fixes)

Security Fix​

Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16.

If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.

If you are running a pre-release version of XenForo 2.3, you should follow the instructions in the announcement thread for the XenForo 2.3.0 Release Candidate 1 release.

The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.

XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.

We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually to any version. See below for further details.

Applying a patch manually​

To patch this issue manually you will need to edit one file manually and upload some changed files.

Step 1: Edit src/XF.php​

Find the following line in this file:

        $parts = explode(':', $string, 3);

Replace that line with the following:

        if (!$string) return '';

        if (strpos($string, ':') === false)
        {
            $pattern = '#^\\\?'
                . str_replace('%s', '([A-Za-z0-9_\\\]+)', preg_quote(ltrim($formatter, '\\')))
                . '$#';
            if (!preg_match($pattern, $string, $matches))
            {
                throw new \InvalidArgumentException(sprintf(
                    'Class %s does not match formatter pattern %s',
                    $string,
                    $formatter
                ));
            }

            // already a class
            return $string;
        }

        $parts = explode(':', $string, 3);

Note: This file is not included in the patch download attached to this post as it contains install-specific data. You must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue. This only applies if you are unable to do a normal upgrade.

Step 2: Upload XF files​

• Download either 2115-patch.zip (for XenForo 2.1) or 2216-patch.zip (for XenForo 2.2).
• Extract the .zip file
• Upload the contents of the upload directory to the root of your XenForo installation

Step 3: Upload XFMG files (for XenForo Media Gallery customers only)​

• Download either xfmg219-patch.zip (for XenForo Media Gallery 2.1) or xfmg226-patch.zip (for XenForo Media Gallery 2.2).
• Extract the .zip file
• Upload the contents of the upload directory to the root of your XenForo installation

Note: If you decide to patch the files instead of doing full upgrades, your "File health check" will report these files as having "Unexpected contents". Because these files no longer contain the same contents your version of XF was shipped with, this is expected and can be safely ignored.

As always, new releases of XenForo are free to download for all customers with active licenses, who may now grab the new version from the customer area or upgrade from your Admin control panel (Tools > Check for upgrades...).

XenForo 2.2.16 Released​

XenForo 2.2.16 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.2 upgrade to this release to benefit from increased stability.

One-click upgrade to XenForo 2.2.16​

Directly from your admin control panel

If you are a XenForo Cloud customer, your upgrade will be scheduled automatically.

Some of the changes in XF 2.2.16 include:

• Fix some issues with xf-dev:class-use-function to better support classes with class attributes and comments, or existing use function declarations.
• Fix persistent action indicator when using back/forward navigation
• Add _deleteFromSource method to support performing tasks right before entity deletion
• Skip logging IPs when updating avatars during registration
• Fix docblock return hint for \XF\Util\Ip::checkIpsAgainstBinaryRangeList
• Add missing security locked phrase
• Expose additional parameters to the reported_thread_title phrase
• Ensure sticky threads are passed to the fetchExtraContentForThreadsFullView method
• Adjust the phrasing of mail encryption options
• Update purchase requests on user merge
• Set aria-label for tooltips with no children
• Skip processing email bounces and unsubscribes when email has been disabled in config.php
• Gracefully handle errors when editing bookmarks
• Clean up temp files after job completion
• Add proper ordering to the shared IPs tab
• Add an index hint to the newest members widget
• Avoid generating invalid SQL with XF\Db\Schema\Column::values()
• Prevent disabled accounts from using the admin control panel
• Include a plain confirmation URL in the email sent to users awaiting email confirmation

As always, new releases of XenForo are free to download for all customers with active licenses. You may now upgrade from your admin control panel or grab the new version from the customer area.

Current requirements​

Please note that XenForo 2.2 has higher system requirements than earlier versions.

The following are minimum requirements:

• PHP 7.2 or newer (PHP 8.2 recommended)
• MySQL 5.5 and newer (Also compatible with MariaDB/Percona etc.)
• All of the official add-ons require XenForo 2.2.
• Enhanced Search requires at least Elasticsearch 2.0.

Installation and upgrade instructions​

Full details of how to install and upgrade XenForo can be found in the XenForo 2 Manual. We strongly recommend upgrading directly from within your control panel.

 

[Chris D]

XenForo 2.1.15 Patch 1 & 2.2.16 Patch 1 Released​

About 30 seconds after we released 2.1.15 and 2.2.16 we were notified of a very old bug that was surfaced by the new changes.

The issue relates to editing node-like permissions.

As such, we have released Patch 1 for both versions to address this.

The patches above have been modified and include two additional files:

• src/XF/Admin/Controller/Node.php
• src/XF/Admin/Controller/Permission.php

You should re-apply the patch if you are unable to upgrade.

 

[Chris D]

XenForo 2.2.16 Patch 2 Released​

Firstly, to clarify some concerns that have arisen:

1. If you did a normal upgrade (either uploading files or via your admin control panel) you do not need to manually edit any files to receive the security fixes.
2. If you upgraded to the initial 2.2.16 release, you are fully protected against the security issues that were being addressed.

Secondly, a second patch is being released to address some minor bug fixes that may not have been correctly applied when upgrading to XenForo 2.2.16. This is only applicable if you performed a normal upgrade to 2.2.16, and this patch is not security related or affected by the security fixes.

You can download that now from your customer area or perform a one-click upgrade through your admin control panel. You can go to Tools > Check for upgrades in order to see the second patch release.

If you are running XenForo Cloud, the fixes have been applied automatically.