- Visible Branding
- Yes
Today, we are releasing XenForo 2.2.17 to address a potential security vulnerability. We recommend that all customers running XenForo 2.2 upgrade to 2.2.17 or use the patch instructions below as soon as possible.
Notes:
a. XenForo 2.3.1 and above is not affected by this issue. If you are still running XenForo 2.3.0 you should upgrade to the latest release or apply the patch below.
b. The few XenForo Cloud customers still running XenForo 2.2 have been patched automatically.
The issue relates to a potential redirection exploit using a specially crafted URL.
XenForo extends thanks to @mattrogowski, @Jake B. and the team at @ThemeHouse for making us aware of this issue.
We recommend doing a full upgrade to resolve the issues, but a patch can be applied manually. See below for further details.
Applying the fix in this case requires modifying a single function within a specific file. To do so find the file src/XF/App.php and locate the start of this specific function:
PHP:
You must log in to view
(1 lines)Locate the end of the function which currently looks like this:
PHP:
You must log in to view
(2 lines)Delete that entire block of code and replace with the following:
PHP:
You must log in to view
(52 lines)Method 2: applying a patch/diff
You can apply the following patch to patch the file automatically:
DIFF:
You must log in to view
(141 lines)Note: If you decide to patch the files instead of doing a full upgrade, your "File health check" will report this file as having "Unexpected contents". Because these files no longer contain the same contents your version of XF was shipped with, this is expected and can be safely ignored.