Simple Machines Community Forum

Simple Machines => News and Updates => Topic started by: Illori on October 21, 2013, 10:18:01 AM

Title: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Illori on October 21, 2013, 10:18:01 AM
Dear users,

Simple Machines Forum has released security patches to both the 1.1.x and the 2.0.x release lines. This brings our released versions to SMF 1.1.19 and SMF 2.0.6.

Several security issues were identified in both release lines and have been addressed with this patch.  It is, therefore, recommended that you update your forums immediately to ensure that your community is safe.  In addition to the security patches, a few bug fixes for the SMF 2.0 line have also been included in the 2.0.6 patch.

If you are running version 2.0.5, you can update your forum to version 2.0.6 using the package manager. As usual, you should see the upgrade notification in the Admin panel and in the package manager, which will allow you to download and install the patch seamlessly.  If you don't see the notification about the update, please run the scheduled task "Fetch Simple Machines files".  You can also download the patch for 2.0.6 from the customize site (http://custom.simplemachines.org/upgrades/) by downloading the : smf_patch_1.1.19_2.0.6.tar.gz patch file, and then installing it from the package manager, like any other mod package.

If you are running 1.1.18, you can update to 1.1.19 by using the smf_patch_1.1.19_2.0.6.tar.gz patch file and installing it via the package manager as well.  If you are still using 1.1.x branch, please be aware this may be one of the last patches released for this version, so you are strongly urged to upgrade to 2.0.6, in order to be able to continue to receive security upgrades to your forum.

If you use older versions of SMF, you can upgrade by using the full upgrade archive for version 2.0.6 from the downloads page (http://download.simplemachines.org/). Be aware that using this upgrade method will require you to reinstall your mods with ones designed for the 2.0.x line

You can also view the change log for the latest release, as usual, on the downloads page (http://download.simplemachines.org/).

If you are having problems downloading the patch from the admin panel, you can download the package from the upgrade patches page (http://custom.simplemachines.org/upgrades/) and install it like a mod, as instructed above.

Please refer to the Online Manual for more details about:
* upgrading  (http://wiki.simplemachines.org/smf/Upgrading)
* patching (http://wiki.simplemachines.org/smf/Patching)

Please do not use this topic for support requests.  You will receive a much quicker and better response by posting in the relevant support board!

Thank you for using SMF! :)


Regards,
Simple Machines Forum
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: LiroyvH on October 22, 2013, 06:15:41 PM
Good work Team :)
Thanks!
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: vbgamer45 on October 22, 2013, 06:28:21 PM
Congrats on the release!
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Antechinus on October 22, 2013, 06:36:56 PM
Bit premature on the announcement. The patches aren't actually on those pages yet. :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Burke ♞ Knight on October 22, 2013, 06:39:17 PM
Already being worked on.
I brought this up, and they are working on it, as we speak. :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: LiroyvH on October 22, 2013, 06:44:10 PM
Direct link added to announcement.
Our apologies for the inconvenience!
http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.19_2.0.6.tar.gz
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: GravuTrad on October 22, 2013, 06:44:41 PM
Quote from: Antechinus on October 22, 2013, 06:36:56 PM
Bit premature on the announcement. The patches aren't actually on those pages yet. :)

yes it seems. 1.1.18 patched to 1.1.18 and 2.0.5 patched to 2.0.5, normally no matches lol....versioning forgotten again?
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 22, 2013, 07:15:38 PM
Doing a release is quite a complex process given the mirrors and everything else in the site architecture that needs updating. We're working on it as I write this :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Antes on October 22, 2013, 07:20:21 PM
Important thing is the patch and very well done to our developers... they did fantastic job yet again :)

Thanks!
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Burke ♞ Knight on October 22, 2013, 07:22:27 PM
Indeed!
Way to go dev team, and the others that helped out. :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: GravuTrad on October 22, 2013, 07:32:28 PM
Quote from: Arantor on October 22, 2013, 07:15:38 PM
Doing a release is quite a complex process given the mirrors and everything else in the site architecture that needs updating. We're working on it as I write this :)

;)

Premature annoucement only so.

Thanks for all the great work guys. ;)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 22, 2013, 07:34:24 PM
We thought it was best to get this topic out there - including where one can download the patch immediately - while we got everything else sorted out. Right now it should only be the upgrade site that's in need of work and we're on the case.


EDIT: And it appears to be sorted out now :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: GravuTrad on October 22, 2013, 08:10:19 PM
Cool! Thanks guys! ;)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: iMiKK on October 22, 2013, 09:23:41 PM
Thank for the security updates. ;)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Daniel15 on October 22, 2013, 11:24:05 PM
QuoteSeveral security issues were identified in both release lines and have been addressed with this patch.  It is, therefore, recommended that you update your forums immediately to ensure that your community is safe.  In addition to the security patches, a few bug fixes for the SMF 2.0 line have also been included in the 2.0.6 patch.
Is there a more detailed changelog? It might be worth adding that to the announcement :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 22, 2013, 11:25:04 PM
We haven't changed how we do anything; we never give the full changelog here - because most people don't care - but the full changelog is on the download page as ever, including the full list of what was changed.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: 青山 素子 on October 22, 2013, 11:35:02 PM
You might need to fix the files SMF uses to detect the updated version. Even though it's properly indicating a need for update, it's pointing to the 2.0.5 patch, not 2.0.6. Might also want to double-check for 1.1 as well.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 22, 2013, 11:44:17 PM
Working just fine for me, on two different 2.0.5 installs I haven't yet patched, it's pointing to http://localhost/smf205/index.php?action=admin;area=packages;pgdownload;auto;package=http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.19_2.0.6.tar.gz;session=variables

Seems to me you might need to force it to refresh the SM files?
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Burke ♞ Knight on October 22, 2013, 11:49:03 PM
Yet, when click to download, it does say 2.0.5...

This is via the link in package manager.

After the force refresh of files.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 22, 2013, 11:51:21 PM
"This patch file will provide security and bug fixes to your SMF 2.0.5 forum."

Well, yeah...
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Burke ♞ Knight on October 22, 2013, 11:57:53 PM
Look at this screen shot.
2.0.5 after clicking the link for update, it downloads and says 2.0.5...
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 23, 2013, 12:01:09 AM
Ooh... I'm using a different link to you guys. I'm using the one from the front page of the admin panel, you're looking at the one from the package manager itself (which uses a different notification entirely)

We're getting it sorted.

EDIT: Sorted now, should work just fine :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Burke ♞ Knight on October 23, 2013, 12:12:10 AM
I knew my test was was messed up, just also knew it was not that messed up...LOL

Good going, Number One... ;)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 23, 2013, 12:24:47 AM
It's all good :) It was more of a communication issue - we were looking at different things, heh.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Kindred on October 23, 2013, 01:01:21 AM
6 sites updated - only one required some manual application.  Nice job!
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: 青山 素子 on October 23, 2013, 02:23:07 AM
Two 2.0 sites updated cleanly. One 1.1 site updated from 1.1.16 simply using the patch files individually, and it all went cleanly. The lack of drama disappoints me, so now I'm going to go watch Gattaca so I can get some drama.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: GL700Wing on October 23, 2013, 02:39:19 AM
Update four forums quickly, painlessly and without any need for a manual install (not bad given that one forum has more than 100 mods  - some official, some custom - installed).

Thanks!!  :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: sangham.net on October 23, 2013, 02:57:00 AM
Very happy to see you working well and great good dynamic is back. Much mudita (sympathetic joy, co-joy) and congratulation to the whole team!
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: gevv on October 23, 2013, 04:25:49 AM
Thanks!
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: NanoSector on October 23, 2013, 07:12:32 AM
Congrats and thanks to the people who worked on it :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: bud01100 on October 23, 2013, 11:43:14 AM
Have tried to install it via the packages manager and clicking the update link in the admin panel.. its not functioning:

2.05 to 2.06




Install Mod
This package is already installed, and no upgrade was found!

You should uninstall the old version first to avoid problems, or ask the author to create an upgrade from your old version.

Please remember to always make regular backups of your sources and database before installing mods, especially beta versions.
Installations actions for "SMF 2.0.5 Update"
The package you are trying to download or install is either corrupt or not compatible with this version of SMF.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Burke ♞ Knight on October 23, 2013, 11:47:34 AM
Please refer to this instruction:

If you don't see the notification about the update, please run the scheduled task "Fetch Simple Machines files".

Or:

You can also download the patch for 2.0.6 from the customize site (http://custom.simplemachines.org/upgrades/) by downloading the : smf_patch_1.1.19_2.0.6.tar.gz patch file, and then installing it from the package manager, like any other mod package.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Kindred on October 23, 2013, 11:47:49 AM
1- please do not use this topic for support.
2- re-run the scheduled task to get the most recent info from Simple Machines - or download the package from one of the links in the first message.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Oldiesmann on October 23, 2013, 01:32:55 PM
That was a problem that was fixed late last night. I copied the message for the update from 2.0.4 but forgot to update the URL to point to the 1.1.19/2.0.6 patch. If you rerun the "Fetch Simple Machines Files" task, the message will have the correct link. Alternately you can just download the patch and upload it through the package manager.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: a10 on October 23, 2013, 02:58:33 PM
.18 to .19, whole process took 5 seconds (using admin center). Great, thanks.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: KVL on October 23, 2013, 06:35:32 PM
 Hi,

Update was successful (1.1.18->1.1.19 & 2.0.5->2.0.6). Thanks to the team for the good work! :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: gisfreak on October 23, 2013, 10:31:52 PM
congratulation
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Eclipse16V on October 24, 2013, 06:39:47 AM
Thank for the update.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: TigerAnt on October 24, 2013, 07:37:12 AM
Guys we need help! _ updated our forum from version 1.1.11 to 1.1.15 with no problem.But when I tried to go to 1.1.16 it said my fine was corrupted. I was trying to get are forum to version 1.1.18

Thanks!    Ant Admin  -snip-
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Irisado on October 24, 2013, 07:49:32 AM
Please ask for help in the 1.1.x Support Board, as your issue is not relevant to this particular security patch.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Portugal on October 24, 2013, 10:15:43 AM
Thanks all to always improve on security of our forums..



Regards
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Apllicmz on October 24, 2013, 10:48:11 AM
thank you
done
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: ali[n] on October 24, 2013, 01:00:21 PM
Thanks :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: brunob on October 24, 2013, 04:03:09 PM
Thanks all for the upgrade to 2.0.6  :D

Greating Bruno  :laugh:
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Kenny01 on October 25, 2013, 04:09:13 AM
Great
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: impreza on October 25, 2013, 10:02:13 AM
nice, nice thans for all
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Antros22 on October 25, 2013, 10:33:12 AM
nice work smf team :) my forum is update :)  ;D
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Mr. Jinx on October 25, 2013, 12:24:22 PM
Thanks for this update. Working nice.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: rentner on October 25, 2013, 05:24:15 PM
Thanks for your work.

Update without problems as always.
Good job as usual. 8)

Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Colin on October 25, 2013, 05:38:45 PM
Fantastic!
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: iaccountant on October 26, 2013, 01:23:12 AM
Well I for one am sad to hear that 1.1.19 is just about the end of the line for 1.

I came in on 1.1.13 and now have one 2.05 installation and a few remaining 1s

Great product team. Thank you for maintaining and growing it so well.

Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: johnpaul2k2 on October 26, 2013, 01:34:26 AM
upgrade within seconds  :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: stog on October 26, 2013, 07:53:24 AM
very good -- i upgraded 5 forums in under 5 minutes (1.1.18 to 19) superb

meanwhile i have a vbully which i am so so scared to upgrade (it has no 1 click package within/testing) and gives me the eeebeegeebees everytime and takes 5 hours to prepare -- reading responses first serious b'ups rewrites etc)

now i am a little worried upgrading to 2.6 from 1.1.19 as we have soi many mods, pretty urls and tp -- but will get a test site running soon

how is import from vbully 4 to 2.6 btw?

thx again great work
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 26, 2013, 10:52:20 AM
1.1.19 is seven years old, and will break with PHP 5.5 in nasty ways that we can't fix without a substantial change, most of which already happened in 2.0.

That's why we're telling you now, while it is still supported, that it is time to plan for an upgrade, rather than in a few months time going "Oh and by the way, those of you on 1.1 are screwed"

Many 1.1 mods have 2.0 equivalents, or even 2.0 support, e.g. Pretty URLs does. If there is a mod that you cannot find a 2.0 replacement for, let me know and I'll see what I can do to help.

I haven't touched the converters, no idea what state the vB4 converter is in, sorry.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Srinib on October 26, 2013, 03:22:20 PM
That was so cool. Upgraded from 2.0.5 to 2.0.6 in just few seconds.
Thanks to everyone who had worked hard on this patch.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: fear_the_squirrels on October 27, 2013, 08:53:24 AM
What version is subs-members.php in this version?  After upgrade the file detailed version check shows subs-members.php being version 2.0.6, but the package manager version and the full tgz download both show it as version 2.0.1.  Diffing my running version and the version from the tgz show identical files also.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 27, 2013, 10:18:49 AM
It's 2.0.6, the main install didn't get updated, but the package manager version should have as per http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_1.1.19_2.0.6.tar.gz;smf_version=2.0.5 where it clearly edits Subs-Members.php
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: wwwserfer on October 27, 2013, 12:46:26 PM
update 1.1.18 ---> 1.1.19

$sourcedir/Profile.php
update replace this

    // Now try to find an infection.
    while (!feof($fp))
    {
    if (preg_match('~(iframe|\\<\\?php|\\<\\?[\s=]|\\<%[\s=]|html|eval|body|script\W)~', fgets($fp, 4096)) === 1)
    {
    if (file_exists($uploadDir . '/avatar_tmp_' . $memID))
    [at]unlink($uploadDir . '/avatar_tmp_' . $memID);
     
    fatal_lang_error('smf124');
    }
    }
    fclose($fp);


to this
    // Now try to find an infection.
    $prev_chunk = '';
    while (!feof($fp))
    {
    $cur_chunk = fread($fp, 8192);
     
    // Paranoid check. Some like it that way.
    if (preg_match('~(iframe|\\<\\?|\\<%|html|eval|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk) === 1)
    {
    fclose($fp);
    if (file_exists($uploadDir . '/avatar_tmp_' . $memID))
    [at]unlink($uploadDir . '/avatar_tmp_' . $memID);
     
    fatal_lang_error('smf124');
    }
     
    $prev_chunk = $cur_chunk;
    }
    fclose($fp);


after this replacement users can't upload their avatars to server (trying upload animated gif), got message:

QuoteYour attachment couldn't be saved. This might happen because it took too long to upload or the file is bigger than the server will allow.

Please consult your server administrator for more information.

Do not ask me about the settings please! ALL ATTACHMENTS/AVATARS SETTINGS CORRECT!... as a uploaded file requirements...

In my case avatars uploaded to attachments folder.
If I return the update changes in $sourcedir/Profile.php back - all works fine.
Spent a lot of time to understand the problem, but could not solve... it just me?
Maybe PHP? I using PHP 5.2.10 on my server...

Added:

inside test gif there are lines
<?xpacket begin="п»ї" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:7105EF2E0130E2118032A8A02874D8C7" xmpMM:DocumentID="xmp.did:9E22335E300211E2A019AE32BE61A756" xmpMM:InstanceID="xmp.iid:9E22335D300211E2A019AE32BE61A756" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7305EF2E0130E2118032A8A02874D8C7" stRef:documentID="xmp.did:7105EF2E0130E2118032A8A02874D8C7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

this can be a problem?

p/s sorry for my language// :-[
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 27, 2013, 12:52:31 PM
Yeah, the problem is that there are suspicious looking strings inside your GIF file and SMF's automated protection routines stop them. All I did (since I'm the one that did the patch for 1.1) was have 1.1 brought up to what 2.0 has done for years.

Get Photoshop to strip the rubbish that shouldn't even be in the file in the first place.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: fear_the_squirrels on October 27, 2013, 01:54:50 PM
Quote from: Arantor on October 27, 2013, 10:18:49 AM
It's 2.0.6, the main install didn't get updated, but the package manager version should have as per http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_1.1.19_2.0.6.tar.gz;smf_version=2.0.5 where it clearly edits Subs-Members.php

So the main install and the upgrade packages should have 2.0.1?  I did look and it seems that the full install package does have the changes in place, just the file version is 2.0.1.  Going by that it looks as though I should be ok to just replace the top version tag with the correct version (2.0.6) to get rid of the version mismatch in the DB.

-Chris
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 27, 2013, 01:57:43 PM
No, the main install and upgrade packages should have 2.0.6 because the file changed in 2.0.6. We did modify the master packages but the mirrors will need resyncing to include that one too.

The version list pushed by this site may actually be wrong because I think it pulls from the list of files in the internal repo, need to check on that.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: fear_the_squirrels on October 27, 2013, 01:59:54 PM
Quote from: Arantor on October 27, 2013, 01:57:43 PM
No, the main install and upgrade packages should have 2.0.6 because the file changed in 2.0.6. We did modify the master packages but the mirrors will need resyncing to include that one too.

The version list pushed by this site may actually be wrong because I think it pulls from the list of files in the internal repo, need to check on that.

It looks like all the changes int eh change log were applied aside from the @version 2.0.6 one.  I'll just apply that by hand.  Thanks for your help!

-Chris
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 27, 2013, 02:01:32 PM
Yeah, that's the only one that was missed, and we have been dealing with it. ;)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: wwwserfer on October 27, 2013, 02:03:45 PM
Quote from: Arantor on October 27, 2013, 12:52:31 PM
Yeah, the problem is that there are suspicious looking strings inside your GIF file and SMF's automated protection routines stop them. All I did (since I'm the one that did the patch for 1.1) was have 1.1 brought up to what 2.0 has done for years.

Get Photoshop to strip the rubbish that shouldn't even be in the file in the first place.

Thanks for the answer! all cleared up now =)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: margarett on October 27, 2013, 02:30:55 PM
Check http://www.simplemachines.org/community/index.php?topic=513247.0
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Kindred on October 27, 2013, 07:28:53 PM
and please note that this thread is NOT for support...
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Mstcool on October 27, 2013, 08:55:28 PM
Woot Woot!!

Congratz!! :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: 108dog.com on October 28, 2013, 04:32:46 AM
Congratz

Thank you for SMF teams.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: HauntIT on October 28, 2013, 09:00:51 AM
Nice, buts its still vulnerable :*

(Read the mail from few minutes ago to security@simplemachines.org, there is more details).

Cheers
o/
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 28, 2013, 09:08:21 AM
I saw your email.

I'm actually a bit annoyed because saying "hey I found a vulnerability" doesn't help anyone actually fix it. Please provide full details (either to security@simplemachines.org or to the security report page) rather than saying you found a vulnerability and waiting for an email to see if we're interested or not - because we're *always* interested to hear about issues so we can patch them!
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: HauntIT on October 28, 2013, 09:13:31 AM
Cool ;)

Give me few minutes and I will send you raw copy/paste traffic from burp.
All done 10 minutes ago, so if you want some help/information about patch, I must see the code.

Cheers
o/
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 28, 2013, 09:23:36 AM
Email received and investigating, thank you :)

Re being annoyed... we take security very seriously and someone emailing saying 'hey, I've got a vuln, are you interested' just provokes more emails and more discussion than necessary ;)


One thing I will add up front: board names/descriptions and censored words accepting unsanitised raw HTML is not going to be patched in 2.0 because some admins are relying on this bad behaviour for formatting. It gets reported pretty much every time and pretty much every time we declare we can't fix it in 2.0 for the same reason.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: HauntIT on October 28, 2013, 09:31:06 AM
Ok... so 'for admin' we have 'only 5 new' ;)

Ok Arantor. Like I said, if I will find anything new, I will send you more detailed email asap.

Have a nice day!

o/
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 28, 2013, 09:39:36 AM
First up, thanks :) Any report is better than no report, even if it turns out to be a damp squib.

Secondly, yup, these all require admin permissions to exploit, which automatically makes them slightly less of an issue - but no less necessary to fix. It just means we don't need to rush it out 'right now' in a practical sense (if not an idealistic one)

Admin and XSS is an interesting problem to solve, because all of the exploits are, yes, problems. But in comparison to other things you can do as an admin, it's almost a non-issue. Admins can edit the raw PHP templates themselves, directly from the admin panel - which is a far greater security issue in practice. But no-one seems to actually consider the intentional editing of raw PHP - and thus *total XSS vector* - of such. We have, as far as I know, never received a report that this could be exploited... but of course it can, with no more difficulty than almost every normal XSS vector.

The real concerns are the ones in the database, of course, because they don't have to run the gamut of file permissions.

There are plenty of other practical issues that can't be solved any time soon like the vulnerability of uploading a new theme (which is raw PHP)... and new modifications (which are raw PHP) but curiously no-one ever seems to consider these *vulnerabilities*.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Dijboy on October 28, 2013, 09:43:06 AM
Congrats and thanks on the update :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: kerso on October 28, 2013, 11:54:14 PM
Hi guys,

Is there any problem on Subs-Members.php on 2.06 patch? It still says 2.0.1 as version but an update looks like required on version control panel, I'll be glad to get comment about this issue, am i wrong?

Thanks,
kerso.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on October 29, 2013, 12:09:47 AM
There's nothing wrong with the 2.0.6 patch, the patch does it just fine.

The problem is with the main install file/large upgrade package where they didn't get the updated version number.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Campanule on October 29, 2013, 04:05:52 AM
You have done great again - thank you very, very much  :D
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Master Mjd on October 29, 2013, 08:22:00 PM
Thank you!
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Kolya on November 01, 2013, 05:54:32 PM
Thank you!
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Robert. on November 03, 2013, 02:35:24 PM
Congratulations! :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: ApplianceJunk on November 03, 2013, 02:38:14 PM
Thanks, you guys are the best!
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Fat_Man on November 04, 2013, 04:28:54 AM
Thank you...
makes it so much better when its click, update.. everything is upgraded easily.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Alchemist on November 11, 2013, 03:06:47 PM
I just got around to the  2.0.5 to 2.0.6 update, and it fails on Subs-Members.php.  So I downloaded the 2.0.6 zip file, unpacked it and installed the Subs-Member.php file into my live Sources directory.
Next I ran the forum maintenance function "Check all files against current versions" and it tells me that my Subs-Members.php file is still incorrect.

Where is the correct version of Subs-Members.php?

Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on November 11, 2013, 03:08:57 PM
The correct version of Subs-Members.php is 2.0.6, but the version from the 2.0.6 packages for some reason still says 2.0.1 even though the file is otherwise correct.

The problem is now you have damaged mods; any mod that modified Subs-Members.php (which is what caused the update to fail) has now had its code removed and will now fail to uninstall and likely fail to work properly anyway.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Kindred on November 11, 2013, 03:10:18 PM
Also please note the line from the intitial post (which is the same for EVERY announcemnt of an update release)

Quote from: Illori on October 21, 2013, 10:18:01 AM
Please do not use this topic for support requests.

Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: SwedishMarch1964 on November 12, 2013, 10:27:00 AM
How did SMF 2.0.6 come out so soon after version 2.0.5?
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on November 12, 2013, 10:55:56 AM
You mean *two months after*?

It came out because we were advised of issues that needed fixing, simple as that. We get told of issues, we fix them.
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: NoobDeveloper on November 16, 2013, 10:27:39 AM
Great work guys....You rock. Sorry for posting this late :)
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Dennis2 on December 07, 2013, 03:40:14 PM
Sorry if this is the wrong place to post, I did try to search aswell.

Recently the Administrators upgraded our Forum from SMF 1.1.18 to SMF 2.0.6 and since then we have two pairs of identical members apart from their ID number.

Is this a SMF 2 problem or is it due to our Database, as a Moderator I do not have access to certain areas so did not feel I could post in the Support boards.

Thank you

Dennis
Title: Re: SMF 1.1.19 and 2.0.6 critical security patches released
Post by: Arantor on December 07, 2013, 03:45:29 PM
Well, it will be unrelated to this update (this is about 1.1.18 -> 1.1.19, and 2.0.5 -> 2.0.6), you should ask your site's administrator to sign up and post in either the 2.0 support area or the Installing and Upgrading area...

This topic is not really for support, though...