Security Fix
Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16.If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.
If you are running a pre-release version of XenForo 2.3, you should follow the instructions in the announcement thread for the XenForo 2.3.0 Release Candidate 1 release.
The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.
XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.
We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually to any version. See below for further details.
Applying a patch manually
To patch this issue manually you will need to edit one file manually and upload some changed files.Step 1: Edit
Find the following line in this file:PHP:
<span>$parts</span> <span>=</span> <span>explode</span><span>(</span><span>':'</span><span>,</span> <span>$string</span><span>,</span> <span>3</span><span>)</span><span>;</span>
Replace that line with the following:
PHP:
<span>if</span> <span>(</span><span>!</span><span>$string</span><span>)</span> <span>return</span> <span>''</span><span>;</span><br><br> <span>if</span> <span>(</span><span>strpos</span><span>(</span><span>$string</span><span>,</span> <span>':'</span><span>)</span> <span>===</span> <span>false</span><span>)</span><br> <span>{</span><br> <span>$pattern</span> <span>=</span> <span>'#^\\\?'</span><br> <span>.</span> <span>str_replace</span><span>(</span><span>'%s'</span><span>,</span> <span>'([A-Za-z0-9_\\\]+)'</span><span>,</span> <span>preg_quote</span><span>(</span><span>ltrim</span><span>(</span><span>$formatter</span><span>,</span> <span>'\\'</span><span>)</span><span>)</span><span>)</span><br> <span>.</span> <span>'$#'</span><span>;</span><br> <span>if</span> <span>(</span><span>!</span><span>preg_match</span><span>(</span><span>$pattern</span><span>,</span> <span>$string</span><span>,</span> <span>$matches</span><span>)</span><span>)</span><br> <span>{</span><br> <span>throw</span> <span>new</span> <span><span>\</span>InvalidArgumentException</span><span>(</span><span>sprintf</span><span>(</span><br> <span>'Class %s does not match formatter pattern %s'</span><span>,</span><br> <span>$string</span><span>,</span><br> <span>$formatter</span><br> <span>)</span><span>)</span><span>;</span><br> <span>}</span><br><br> <span>// already a class</span><br> <span>return</span> <span>$string</span><span>;</span><br> <span>}</span><br><br> <span>$parts</span> <span>=</span> <span>explode</span><span>(</span><span>':'</span><span>,</span> <span>$string</span><span>,</span> <span>3</span><span>)</span><span>;</span>
Note: This file cannot be patched automatically as it contains install-specific data. You must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue.
Step 2: Upload XF files
- Download either 2115-patch.zip (for XenForo 2.1) or 2216-patch.zip (for XenForo 2.2).
- Extract the .zip file
- Upload the contents of the upload directory to the root of your XenForo installation
Step 3: Upload XFMG files (for XenForo Media Gallery customers only)
- Download either xfmg219-patch.zip (for XenForo Media Gallery 2.1) or xfmg226-patch.zip (for XenForo Media Gallery 2.2).
- Extract the .zip file
- Upload the contents of the upload directory to the root of your XenForo installation
![[cv6] Letter Index](/data/resource_icons/0/109.jpg?1772112201){kind=icon}
