This specially crafted URL, when clicked on or embedded in a page, can include another URL which returns a 401 response and display an authentication prompt. This authentication prompt may trick less experienced users into thinking that it is your site which is asking for authentication when in fact the authentication details entered may be submitted to the attacker instead.
This issue only potentially affects XenForo 2.0 users if you previously upgraded from XenForo 1.5.
The reason for this is that the affected file will be left on your file system after upgrading unless you have taken steps to manually or automatically clean up the old files. To solve this problem in both XF 1.5 and XF 2.0 we are including a zero-byte file which will overwrite the problematic file.
We recommend that all customers upgrade to the latest version of XF 1.5 or XF 2.0, but if you are unable to do this then you can simply delete the file which resides in the following location: js/videojs/video-js.swf.
As a side note, there is potentially another exploit in some current browser versions which is similar. This involves a URL which points to a resource, such as an image, which returns a 401 response. This is an exploit which is being patched by most browser vendors. It is currently fixed in the latest stable Chrome release, and upcoming versions of Safari and Firefox. If you are concerned by such an exploit, please ensure you inform your users that a) they should be using the latest available version of their preferred browser and b) that login details should only be provided via your site's default login form.
We are making good progress toward XenForo 2.1 and although we don't have anything to show you, just yet, we do have plans to increase the minimum requirements in XenForo 2.1 so we can bring you some pretty cool changes You may remember that in XenForo 2.0.2 we started collecting some server stats and this has actually been immensely useful so thank you to everyone who agreed to submit that information. We wanted to share some statistics based on PHP version usage:
- PHP 5.4: 6%
- PHP 5.5: 4%
- PHP 5.6: 34%
- PHP 7.0: 23%
- PHP 7.1: 23%
- PHP 7.2: 10%
If you are running a version below PHP 5.6, you will receive a warning when installing or upgrading XenForo.
We have some pretty big plans for XenForo 2.1 and we are working hard towards it so expect some exciting updates on that in the coming months.
Some of the other changes in 2.0.3 include:
- Ensure that development output is always removed as appropriate when an entity is deleted.
- In the vBulletin importer, handle blog tables not existing.
- Do not attempt to notify users of conversation messages if they do not have an email address.
- Add missing phrase when a log entry cannot be found.
- When reverting a phrase in the translation system, and it has no parent, hide it to avoid template errors.
- Improve error output for development JS.
- Ensure a user "location" link always opens in a new window.
- Catch a "duplicate key" race condition when watching a thread.
- Display question in poll widget by default if no other title is entered.
- Re-count number of unread conversations when opening the conversations pop up.
- Deprecate the use of jQuery.proxy in favour of XF.proxy.
- Update LightGallery to latest version.
- Ensure the add-on cache is updated on XF upgrade to ensure it reflects the correct XF version.
- Ensure a consistent position for the "Edit avatar" link overlay.
- When filtering the user list, pass the specified order and direction in.
- Adjust sub node list to inline-block to resolve some spacing issues on some browsers.
- Improve validation of incoming PayPal IPN calls.
- Adjust moderator logging when copying/moving posts.
- Process additional attributes on xf:datarow tags.
- Ensure permissions and privacy are respected on the server side when posting profile posts.
- Only attempt to render alerts if the alert handler is available.
- Re-implement the ability to "Show older items" when viewing a date limited thread list.
- Update the styles last modified date on language changes to ensure certain values which affect CSS take effect.
- In some cases, a Solve Media CAPTCHA challenge would erroneously pass if the HTML was tampered with (such as via a spam bot).
- Re-implement quick "Ban / Discourage IP" links on the list of a user's IP addresses in the Admin CP.
- Add a message to the notice list in the Admin CP if we detect some notices may contain invalid criteria, such as templates which do not exist, or PHP classes/methods that cannot be found.
- Ensure advanced colour functions in property values are supported when styling Stripe's secure forms and a site's "theme color".
- Add new bb_code_processor_action_map and bb_code_renderer_map code events.
- Ensure conversation message links redirect to the correct page in a conversation.
- Ensure a user is redirected to the forum list properly if they click login/register and they are already logged in.
- Re-implement escapeClose option on overlay handlers.
- When CodeMirror is initialised, ensure it is loaded with any specified mode automatically.
- If a payment profile does not have a display title, display the payment profile title instead of the payment provider title.
- In the vBulletin importer, convert [THREAD] and [POST] BB codes to BB codes.
- In the vBulletin impo...l-upgrade/']install and upgrade XenForo can be found in the XenForo 2 Manual.
Note that when upgrading from XenForo 1.x, all add-ons will be disabled and style customizations will not be maintained. New versions of add-ons will need to be installed and customizations will need to be redone. We strongly recommended that you make a backup before attempting an upgrade. Once upgraded, you will not be able to downgrade without restoring from a backup.