- XF Compatibility
- 2.1.x
- 2.2.x
- Headline
- a potential security vulnerability has been identified.
- Short Description
- Download and Discuss Premium, Business XenForo 2.1.15 Patch 1, 2.2.16 Patch 2 and XenForo Media Gallery (Security Fixes) Security Fixes version on NullPro Community. From XenForo 2.1.15 Patch 1, 2.2.16 Patch 2 and XenForo Media Gallery (Security Fixes) have 1 Description Attachments, 28 Views.
![1717683507360.png 1717683507360.png](https://null2.bynull.com/2024/06/05/thumb/nullpro-78616_942e0cec1bfa159081ed5d87d73fdfb9.png)
Security Fix
Today we are advising all customers running XenForo that a potential security vulnerability has been identified. All affected customers should either upgrade to XenForo 2.1.15 or XenForo 2.2.16.If you are a XenForo Cloud customer, a fix has been rolled out automatically, and no further action is required to address this issue.
If you are running a pre-release version of XenForo 2.3, you should follow the instructions in the announcement thread for the XenForo 2.3.0 Release Candidate 1 release.
The issue relates to a potential cross-site request forgery and code injection vulnerability which could lead to a remote code execution (RCE) or cross-site scripting (XSS) exploit.
XenForo extends thanks to independent security researcher, Egidio Romano (EgiX), working with SSD Secure Disclosure.
We recommend doing a full upgrade to resolve the issue, but a patch can be applied manually to any version. See below for further details.
Applying a patch manually
To patch this issue manually you will need to edit one file manually and upload some changed files.Step 1: Edit
Find the following line in this file:
PHP:
$parts = explode(':', $string, 3);
Replace that line with the following:
PHP:
if (!$string) return '';
if (strpos($string, ':') === false)
{
$pattern = '#^\\\?'
. str_replace('%s', '([A-Za-z0-9_\\\]+)', preg_quote(ltrim($formatter, '\\')))
. '$#';
if (!preg_match($pattern, $string, $matches))
{
throw new \InvalidArgumentException(sprintf(
'Class %s does not match formatter pattern %s',
$string,
$formatter
));
}
// already a class
return $string;
}
$parts = explode(':', $string, 3);
Note: This file cannot be patched automatically as it contains install-specific data. You must apply this change manually to any XenForo installation running XenForo 2.1 or 2.2 to effectively fix the issue.
Step 2: Upload XF files
- Download either 2115-patch.zip (for XenForo 2.1) or 2216-patch.zip (for XenForo 2.2).
- Extract the .zip file
- Upload the contents of the upload directory to the root of your XenForo installation
Step 3: Upload XFMG files (for XenForo Media Gallery customers only)
- Download either xfmg219-patch.zip (for XenForo Media Gallery 2.1) or xfmg226-patch.zip (for XenForo Media Gallery 2.2).
- Extract the .zip file
- Upload the contents of the upload directory to the root of your XenForo installation