1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XenForo Security Releases: 1.2.7, 1.3.6 and 1.4.1 (Includes Patch)

Discussion in 'Announcements' started by XenForo, Sep 16, 2014.

  1. XenForo

    XenForo Company Info Staff Member

    A cross site request forgery (CSRF) issue has been identified in the SWFUpload library that XenForo uses. This issue may allow an attacker to make requests and carry out actions as you or one of your members.

    This issue affects all versions of XenForo available prior to this announcement. We recommend all customers take steps to apply a fix as soon as possible. If you have any questions about applying a fix, please post in the appropriate forum or submit a ticket.

    Applying a Fix: Upgrading
    XenForo versions 1.2.7, 1.3.6 and 1.4.1 include a fix for this issue. To apply the fix, you may upgrade in the standard way to the appropriate version:
    • Customers running 1.2 or earlier should upgrade to 1.2.7, 1.3.6 or 1.4.1.
    • Customers running 1.3 should upgrade to 1.3.6 or 1.4.1.
    • Customers running 1.4 should upgrade to 1.4.1.
    Customers with an active license may download these versions from their customer area. Full details for how to install and upgrade XenForo can be found in the XenForo Manual.

    Applying a Fix: Patching
    Alternatively, this issue can be fixed by applying the patch in the attached file. You should simply overwrite the existing js/swfupload/Flash/swfupload.swf file with the version attached to this message. The file can be found at the same path within the attachment.
     

    Attached Files:

    mokujin, Kainzo, 0ptima and 85 others like this.

Share This Page