Simple Machines Community Forum

Dear users,

Simple Machines Forum has released security patches to both the 1.1.x and the 2.0.x release lines. This brings our released versions to SMF 1.1.19 and SMF 2.0.6.

Several security issues were identified in both release lines and have been addressed with this patch.  It is, therefore, recommended that you update your forums immediately to ensure that your community is safe.  In addition to the security patches, a few bug fixes for the SMF 2.0 line have also been included in the 2.0.6 patch.

If you are running version 2.0.5, you can update your forum to version 2.0.6 using the package manager. As usual, you should see the upgrade notification in the Admin panel and in the package manager, which will allow you to download and install the patch seamlessly.  If you don't see the notification about the update, please run the scheduled task "Fetch Simple Machines files".  You can also download the patch for 2.0.6 from the customize site (http://custom.simplemachines.org/upgrades/) by downloading the : smf_patch_1.1.19_2.0.6.tar.gz patch file, and then installing it from the package manager, like any other mod package.

If you are running 1.1.18, you can update to 1.1.19 by using the smf_patch_1.1.19_2.0.6.tar.gz patch file and installing it via the package manager as well.  If you are still using 1.1.x branch, please be aware this may be one of the last patches released for this version, so you are strongly urged to upgrade to 2.0.6, in order to be able to continue to receive security upgrades to your forum.

If you use older versions of SMF, you can upgrade by using the full upgrade archive for version 2.0.6 from the downloads page (http://download.simplemachines.org/). Be aware that using this upgrade method will require you to reinstall your mods with ones designed for the 2.0.x line

You can also view the change log for the latest release, as usual, on the downloads page (http://download.simplemachines.org/).

If you are having problems downloading the patch from the admin panel, you can download the package from the upgrade patches page (http://custom.simplemachines.org/upgrades/) and install it like a mod, as instructed above.

Please refer to the Online Manual for more details about:
* upgrading  (http://wiki.simplemachines.org/smf/Upgrading)
* patching (http://wiki.simplemachines.org/smf/Patching)

Please do not use this topic for support requests.  You will receive a much quicker and better response by posting in the relevant support board!

Thank you for using SMF! :)


Regards,
Simple Machines Forum

Good work Team :)
Thanks!

Congrats on the release!

Bit premature on the announcement. The patches aren't actually on those pages yet. :)

Already being worked on.
I brought this up, and they are working on it, as we speak. :)

Direct link added to announcement.
Our apologies for the inconvenience!
http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.19_2.0.6.tar.gz

Quote from: Antechinus on October 22, 2013, 06:36:56 PM
Bit premature on the announcement. The patches aren't actually on those pages yet. :)

yes it seems. 1.1.18 patched to 1.1.18 and 2.0.5 patched to 2.0.5, normally no matches lol....versioning forgotten again?

Doing a release is quite a complex process given the mirrors and everything else in the site architecture that needs updating. We're working on it as I write this :)

Important thing is the patch and very well done to our developers... they did fantastic job yet again :)

Thanks!

Indeed!
Way to go dev team, and the others that helped out. :)

Quote from: Arantor on October 22, 2013, 07:15:38 PM
Doing a release is quite a complex process given the mirrors and everything else in the site architecture that needs updating. We're working on it as I write this :)

;)

Premature annoucement only so.

Thanks for all the great work guys. ;)

We thought it was best to get this topic out there - including where one can download the patch immediately - while we got everything else sorted out. Right now it should only be the upgrade site that's in need of work and we're on the case.


EDIT: And it appears to be sorted out now :)

Cool! Thanks guys! ;)

Thank for the security updates. ;)

QuoteSeveral security issues were identified in both release lines and have been addressed with this patch.  It is, therefore, recommended that you update your forums immediately to ensure that your community is safe.  In addition to the security patches, a few bug fixes for the SMF 2.0 line have also been included in the 2.0.6 patch.

Is there a more detailed changelog? It might be worth adding that to the announcement :)

We haven't changed how we do anything; we never give the full changelog here - because most people don't care - but the full changelog is on the download page as ever, including the full list of what was changed.

You might need to fix the files SMF uses to detect the updated version. Even though it's properly indicating a need for update, it's pointing to the 2.0.5 patch, not 2.0.6. Might also want to double-check for 1.1 as well.

Working just fine for me, on two different 2.0.5 installs I haven't yet patched, it's pointing to http://localhost/smf205/index.php?action=admin;area=packages;pgdownload;auto;package=http://custom.simplemachines.org/mods/downloads/smf_patch_1.1.19_2.0.6.tar.gz;session=variables

Seems to me you might need to force it to refresh the SM files?

Yet, when click to download, it does say 2.0.5...

This is via the link in package manager.

After the force refresh of files.

"This patch file will provide security and bug fixes to your SMF 2.0.5 forum."

Well, yeah...

Look at this screen shot.
2.0.5 after clicking the link for update, it downloads and says 2.0.5...

---

Ooh... I'm using a different link to you guys. I'm using the one from the front page of the admin panel, you're looking at the one from the package manager itself (which uses a different notification entirely)

We're getting it sorted.

EDIT: Sorted now, should work just fine :)

I knew my test was was messed up, just also knew it was not that messed up...LOL

Good going, Number One... ;)

It's all good :) It was more of a communication issue - we were looking at different things, heh.

6 sites updated - only one required some manual application.  Nice job!

Two 2.0 sites updated cleanly. One 1.1 site updated from 1.1.16 simply using the patch files individually, and it all went cleanly. The lack of drama disappoints me, so now I'm going to go watch Gattaca so I can get some drama.

Update four forums quickly, painlessly and without any need for a manual install (not bad given that one forum has more than 100 mods  - some official, some custom - installed).

Thanks!!  :)

Very happy to see you working well and great good dynamic is back. Much mudita (sympathetic joy, co-joy) and congratulation to the whole team!

Thanks!

Congrats and thanks to the people who worked on it :)

Have tried to install it via the packages manager and clicking the update link in the admin panel.. its not functioning:

2.05 to 2.06




Install Mod
This package is already installed, and no upgrade was found!

You should uninstall the old version first to avoid problems, or ask the author to create an upgrade from your old version.

Please remember to always make regular backups of your sources and database before installing mods, especially beta versions.
Installations actions for "SMF 2.0.5 Update"
The package you are trying to download or install is either corrupt or not compatible with this version of SMF.

Please refer to this instruction:

If you don't see the notification about the update, please run the scheduled task "Fetch Simple Machines files".

Or:

You can also download the patch for 2.0.6 from the customize site (http://custom.simplemachines.org/upgrades/) by downloading the : smf_patch_1.1.19_2.0.6.tar.gz patch file, and then installing it from the package manager, like any other mod package.

1- please do not use this topic for support.
2- re-run the scheduled task to get the most recent info from Simple Machines - or download the package from one of the links in the first message.

That was a problem that was fixed late last night. I copied the message for the update from 2.0.4 but forgot to update the URL to point to the 1.1.19/2.0.6 patch. If you rerun the "Fetch Simple Machines Files" task, the message will have the correct link. Alternately you can just download the patch and upload it through the package manager.

.18 to .19, whole process took 5 seconds (using admin center). Great, thanks.

 Hi,

Update was successful (1.1.18->1.1.19 & 2.0.5->2.0.6). Thanks to the team for the good work! :)

congratulation

Thank for the update.

Guys we need help! _ updated our forum from version 1.1.11 to 1.1.15 with no problem.But when I tried to go to 1.1.16 it said my fine was corrupted. I was trying to get are forum to version 1.1.18

Thanks!    Ant Admin  -snip-

Please ask for help in the 1.1.x Support Board, as your issue is not relevant to this particular security patch.

Thanks all to always improve on security of our forums..



Regards

thank you
done

Thanks :)

Thanks all for the upgrade to 2.0.6  :D

Greating Bruno  :laugh:

Great

nice, nice thans for all

nice work smf team :) my forum is update :)  ;D

Thanks for this update. Working nice.

Thanks for your work.

Update without problems as always.
Good job as usual. 8)

Fantastic!

Well I for one am sad to hear that 1.1.19 is just about the end of the line for 1.

I came in on 1.1.13 and now have one 2.05 installation and a few remaining 1s

Great product team. Thank you for maintaining and growing it so well.

upgrade within seconds  :)

very good -- i upgraded 5 forums in under 5 minutes (1.1.18 to 19) superb

meanwhile i have a vbully which i am so so scared to upgrade (it has no 1 click package within/testing) and gives me the eeebeegeebees everytime and takes 5 hours to prepare -- reading responses first serious b'ups rewrites etc)

now i am a little worried upgrading to 2.6 from 1.1.19 as we have soi many mods, pretty urls and tp -- but will get a test site running soon

how is import from vbully 4 to 2.6 btw?

thx again great work

1.1.19 is seven years old, and will break with PHP 5.5 in nasty ways that we can't fix without a substantial change, most of which already happened in 2.0.

That's why we're telling you now, while it is still supported, that it is time to plan for an upgrade, rather than in a few months time going "Oh and by the way, those of you on 1.1 are screwed"

Many 1.1 mods have 2.0 equivalents, or even 2.0 support, e.g. Pretty URLs does. If there is a mod that you cannot find a 2.0 replacement for, let me know and I'll see what I can do to help.

I haven't touched the converters, no idea what state the vB4 converter is in, sorry.

That was so cool. Upgraded from 2.0.5 to 2.0.6 in just few seconds.
Thanks to everyone who had worked hard on this patch.

What version is subs-members.php in this version?  After upgrade the file detailed version check shows subs-members.php being version 2.0.6, but the package manager version and the full tgz download both show it as version 2.0.1.  Diffing my running version and the version from the tgz show identical files also.

It's 2.0.6, the main install didn't get updated, but the package manager version should have as per http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_1.1.19_2.0.6.tar.gz;smf_version=2.0.5 where it clearly edits Subs-Members.php

update 1.1.18 ---> 1.1.19

$sourcedir/Profile.php
update replace this

    // Now try to find an infection.
    while (!feof($fp))
    {
    if (preg_match('~(iframe|\\<\\?php|\\<\\?[\s=]|\\<%[\s=]|html|eval|body|script\W)~', fgets($fp, 4096)) === 1)
    {
    if (file_exists($uploadDir . '/avatar_tmp_' . $memID))
    [at]unlink($uploadDir . '/avatar_tmp_' . $memID);
     
    fatal_lang_error('smf124');
    }
    }
    fclose($fp);

to this
    // Now try to find an infection.
    $prev_chunk = '';
    while (!feof($fp))
    {
    $cur_chunk = fread($fp, 8192);
     
    // Paranoid check. Some like it that way.
    if (preg_match('~(iframe|\\<\\?|\\<%|html|eval|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk) === 1)
    {
    fclose($fp);
    if (file_exists($uploadDir . '/avatar_tmp_' . $memID))
    [at]unlink($uploadDir . '/avatar_tmp_' . $memID);
     
    fatal_lang_error('smf124');
    }
     
    $prev_chunk = $cur_chunk;
    }
    fclose($fp);

after this replacement users can't upload their avatars to server (trying upload animated gif), got message:

QuoteYour attachment couldn't be saved. This might happen because it took too long to upload or the file is bigger than the server will allow.

Please consult your server administrator for more information.

Do not ask me about the settings please! ALL ATTACHMENTS/AVATARS SETTINGS CORRECT!... as a uploaded file requirements...

In my case avatars uploaded to attachments folder.
If I return the update changes in $sourcedir/Profile.php back - all works fine.
Spent a lot of time to understand the problem, but could not solve... it just me?
Maybe PHP? I using PHP 5.2.10 on my server...

Added:

inside test gif there are lines
<?xpacket begin="п»ї" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:7105EF2E0130E2118032A8A02874D8C7" xmpMM:DocumentID="xmp.did:9E22335E300211E2A019AE32BE61A756" xmpMM:InstanceID="xmp.iid:9E22335D300211E2A019AE32BE61A756" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7305EF2E0130E2118032A8A02874D8C7" stRef:documentID="xmp.did:7105EF2E0130E2118032A8A02874D8C7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

this can be a problem?

p/s sorry for my language// :-[

Yeah, the problem is that there are suspicious looking strings inside your GIF file and SMF's automated protection routines stop them. All I did (since I'm the one that did the patch for 1.1) was have 1.1 brought up to what 2.0 has done for years.

Get Photoshop to strip the rubbish that shouldn't even be in the file in the first place.

Quote from: Arantor on October 27, 2013, 10:18:49 AM
It's 2.0.6, the main install didn't get updated, but the package manager version should have as per http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_1.1.19_2.0.6.tar.gz;smf_version=2.0.5 where it clearly edits Subs-Members.php

So the main install and the upgrade packages should have 2.0.1?  I did look and it seems that the full install package does have the changes in place, just the file version is 2.0.1.  Going by that it looks as though I should be ok to just replace the top version tag with the correct version (2.0.6) to get rid of the version mismatch in the DB.

-Chris

No, the main install and upgrade packages should have 2.0.6 because the file changed in 2.0.6. We did modify the master packages but the mirrors will need resyncing to include that one too.

The version list pushed by this site may actually be wrong because I think it pulls from the list of files in the internal repo, need to check on that.

Quote from: Arantor on October 27, 2013, 01:57:43 PM
No, the main install and upgrade packages should have 2.0.6 because the file changed in 2.0.6. We did modify the master packages but the mirrors will need resyncing to include that one too.

The version list pushed by this site may actually be wrong because I think it pulls from the list of files in the internal repo, need to check on that.

It looks like all the changes int eh change log were applied aside from the @version 2.0.6 one.  I'll just apply that by hand.  Thanks for your help!

-Chris

Yeah, that's the only one that was missed, and we have been dealing with it. ;)

Quote from: Arantor on October 27, 2013, 12:52:31 PM
Yeah, the problem is that there are suspicious looking strings inside your GIF file and SMF's automated protection routines stop them. All I did (since I'm the one that did the patch for 1.1) was have 1.1 brought up to what 2.0 has done for years.

Get Photoshop to strip the rubbish that shouldn't even be in the file in the first place.

Thanks for the answer! all cleared up now =)

Check http://www.simplemachines.org/community/index.php?topic=513247.0

and please note that this thread is NOT for support...

Woot Woot!!

Congratz!! :)

Congratz

Thank you for SMF teams.

Nice, buts its still vulnerable :*

(Read the mail from few minutes ago to [email protected], there is more details).

Cheers
o/

I saw your email.

I'm actually a bit annoyed because saying "hey I found a vulnerability" doesn't help anyone actually fix it. Please provide full details (either to [email protected] or to the security report page) rather than saying you found a vulnerability and waiting for an email to see if we're interested or not - because we're *always* interested to hear about issues so we can patch them!

Cool ;)

Give me few minutes and I will send you raw copy/paste traffic from burp.
All done 10 minutes ago, so if you want some help/information about patch, I must see the code.

Cheers
o/

Email received and investigating, thank you :)

Re being annoyed... we take security very seriously and someone emailing saying 'hey, I've got a vuln, are you interested' just provokes more emails and more discussion than necessary ;)


One thing I will add up front: board names/descriptions and censored words accepting unsanitised raw HTML is not going to be patched in 2.0 because some admins are relying on this bad behaviour for formatting. It gets reported pretty much every time and pretty much every time we declare we can't fix it in 2.0 for the same reason.

Ok... so 'for admin' we have 'only 5 new' ;)

Ok Arantor. Like I said, if I will find anything new, I will send you more detailed email asap.

Have a nice day!

o/

First up, thanks :) Any report is better than no report, even if it turns out to be a damp squib.

Secondly, yup, these all require admin permissions to exploit, which automatically makes them slightly less of an issue - but no less necessary to fix. It just means we don't need to rush it out 'right now' in a practical sense (if not an idealistic one)

Admin and XSS is an interesting problem to solve, because all of the exploits are, yes, problems. But in comparison to other things you can do as an admin, it's almost a non-issue. Admins can edit the raw PHP templates themselves, directly from the admin panel - which is a far greater security issue in practice. But no-one seems to actually consider the intentional editing of raw PHP - and thus *total XSS vector* - of such. We have, as far as I know, never received a report that this could be exploited... but of course it can, with no more difficulty than almost every normal XSS vector.

The real concerns are the ones in the database, of course, because they don't have to run the gamut of file permissions.

There are plenty of other practical issues that can't be solved any time soon like the vulnerability of uploading a new theme (which is raw PHP)... and new modifications (which are raw PHP) but curiously no-one ever seems to consider these *vulnerabilities*.

Congrats and thanks on the update :)

Hi guys,

Is there any problem on Subs-Members.php on 2.06 patch? It still says 2.0.1 as version but an update looks like required on version control panel, I'll be glad to get comment about this issue, am i wrong?

Thanks,
kerso.

There's nothing wrong with the 2.0.6 patch, the patch does it just fine.

The problem is with the main install file/large upgrade package where they didn't get the updated version number.

You have done great again - thank you very, very much  :D

Thank you!

Thank you!

Congratulations! :)

Thanks, you guys are the best!

Thank you...
makes it so much better when its click, update.. everything is upgraded easily.

I just got around to the  2.0.5 to 2.0.6 update, and it fails on Subs-Members.php.  So I downloaded the 2.0.6 zip file, unpacked it and installed the Subs-Member.php file into my live Sources directory.
Next I ran the forum maintenance function "Check all files against current versions" and it tells me that my Subs-Members.php file is still incorrect.

Where is the correct version of Subs-Members.php?

The correct version of Subs-Members.php is 2.0.6, but the version from the 2.0.6 packages for some reason still says 2.0.1 even though the file is otherwise correct.

The problem is now you have damaged mods; any mod that modified Subs-Members.php (which is what caused the update to fail) has now had its code removed and will now fail to uninstall and likely fail to work properly anyway.

Also please note the line from the intitial post (which is the same for EVERY announcemnt of an update release)

Quote from: Illori on October 21, 2013, 10:18:01 AM
Please do not use this topic for support requests.

How did SMF 2.0.6 come out so soon after version 2.0.5?

You mean *two months after*?

It came out because we were advised of issues that needed fixing, simple as that. We get told of issues, we fix them.

Great work guys....You rock. Sorry for posting this late :)

Sorry if this is the wrong place to post, I did try to search aswell.

Recently the Administrators upgraded our Forum from SMF 1.1.18 to SMF 2.0.6 and since then we have two pairs of identical members apart from their ID number.

Is this a SMF 2 problem or is it due to our Database, as a Moderator I do not have access to certain areas so did not feel I could post in the Support boards.

Thank you

Dennis

Well, it will be unrelated to this update (this is about 1.1.18 -> 1.1.19, and 2.0.5 -> 2.0.6), you should ask your site's administrator to sign up and post in either the 2.0 support area or the Installing and Upgrading area...

This topic is not really for support, though...