1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Registration Email Allowed In Our Database :  Yahoo * Gmail * Hotmail * Outlook * yandex * live * are allowed to register in our database. [ We Will Approve Manually After Review It ]

News XenForo 1.4.13 Released (Security Fix)

Discussion in 'Announcements' started by XFILES, Aug 30, 2016.

Thread Status:
Not open for further replies.
  1. XFILES

    XFILES is a Verified MemberXFILESModerator
    Moderator

    Joined:
    Nov 1, 2015
    Messages:
    5,167
    Likes Received:
    896
    Trophy Points:
    113
    During internal testing, we discovered a security issue within XenForo. The issue is known as a server-side request forgery (SSRF). This could allow an attacker to use your server to bypass your server's firewall and make internal requests. Depending on the services found, this could lead to privilege escalation or remote code execution.

    This is a potentially serious issue and we strongly recommend all customers running XenForo 1.4 or older follow one of the below methods to fix this security issue.


    If you are running XenForo 1.3 or older, you must upgrade to the latest 1.4 or 1.5 release to fix this issue.

    If you have any questions relating to installing this patch or upgrading to the new version, please post in the Upgrade Supportforum.

    Method 1: Upgrade to the New Version (Recommended)

    You may upgrade to XenForo 1.4.13 (or the latest version of 1.5) to fix this issue. You should upgrade as you would to any other release. If you take this approach, you should not apply the patch below.

    Customers with an active license may download this version from their customer area. Full details for how to install andupgrade XenForo can be found in theXenForo Manual.

    Method 2: Install the Patch (for 1.4 Users)

    Download the patch zip file attached to the end of this message. It contains 3 files:
    • library/XenForo/Helper/Http.php
    • library/XenForo/Helper/Url.php
    • library/XenForo/Model/ImageProxy.php
    These 3 files should be uploaded to your server, overwriting the existing files of the same names.

    Note that with this method there is little outward indication that the patch has been applied. The only indication is that any patched file will appear to not have the correct contents in the file health check. We recommend upgrading if possible.
     
    File Name

    xf_patch_1413.zip

    Filesize 7.7 KB
    Viewed 1
    Loading...
Thread Status:
Not open for further replies.

Share This Page