Released XenForo 1.5.18 Released

Discussion in 'XenForo Released' started by THB, Mar 16, 2018.

  1. THB

    THB Admin - Founder Staff Member

    Joined:
    Feb 25, 2015
    Messages:
    6,336
    Likes Received:
    3,550
    Trophy Points:
    113
    Gender:
    Male
    Occupation:
    CEO
    Location:
    Bình Dương
    Home Page:
    XenForo 1.5.18 Released - Includes Security Fix
    XenForo 1.5.18 is now available for all licensed customers to download. This release fixes a number of bugs and issues that were found since the previous release. As this is a maintenance release, the vast majority of the focus was an increase in stability.

    Most importantly, this release includes a fix for a security issue that was reported to us by Julien from RCE Security. The issue was not found within XF code itself, but instead a file which we previously included with XF 1.5.x within the Video JS library. The issue is known as an "authentication phishing" exploit which involves posting a specially crafted URL pointed at the Video JS SWF file. This specially crafted URL, when clicked on or embedded in a page, can include another URL which returns a 401 response and display an authentication prompt. This authentication prompt may trick less experienced users into thinking that it is your site which is asking for authentication when in fact the authentication details entered may be submitted to the attacker instead.

    xenforo 00.jpg

    To solve this problem we are including a zero-byte file which will overwrite the problematic file.
    We recommend that all customers upgrade to the latest version of XF 1.5 or XF 2.0, but if you are unable to do this then you can simply delete the file which resides in the following location: js/videojs/video-js.swf.

    As a side note, there is potentially another exploit in some current browser versions which is similar. This involves a URL which points to a resource, such as an image, which returns a 401 response. This is an exploit which is being patched by most browser vendors. It is currently fixed in the latest stable Chrome release, and upcoming versions of Safari and Firefox. If you are concerned by such an exploit, please ensure you inform your users that a) they should be using the latest available version of their preferred browser and b) that login details should only be provided via your site's default login form.



    Some of the other changes in this release include:

    • In some cases, a Solve Media CAPTCHA challenge would erroneously pass if the HTML was tampered with (such as via a spam bot).
    • Better support for media embeds and user mentions in the IPS Forums 4.x importer.
    • Fix for missing likes on import from XF to XF.
    • Improve PHP 7.x compatibility in the SMF importer.
    • Add rel="canonical" to the quick navigation template to avoid indexing duplicate content.
    • Security: Disable use of js/videojs/video-js.swf and remove calling it from the template.
    • Recommend users upgrade to PHP 5.6 or above when installing or upgrading.
    See the Resolved Bug Reports forum for further information.

    The following templates have had changes:

    • quick_navigation_menu
    • video_js_setup
    Where necessary, the merge system within the "Outdated Templates" page should be used to integrate these changes.

    Please note that we are now formally recommending that you upgrade to PHP 7.2 or newer. XenForo 2.0 requires PHP 5.4 or newer. XenForo 2.1 will require PHP 5.6 or newer. If you are running a version below PHP 5.6, you will receive a warning when installing or upgrading XenForo.

    All customers with active licenses may now download the new version from the customer area.

    Download XenForo 1.5.18
    From the Licensed Customer Area

    More Stable

    This release follows our principle that third-point (x.x.X) releases should always be more stable than the preceding version, so for the most part you will not find new features in this release. Major new features will be reserved for second point versions (x.X.x).

    Installation and Upgrade Instructions

    Full details for how to install and upgrade XenForo can be found in the XenForo Manual.


    4share.vn
    1. XenForo 1.5.18 Released
    2. XenForo 1.5.18 upgrade
    pass: vnxf.vn

    Fshare.vn
    1. XenForo 1.5.18 Released
    2. XenForo 1.5.18 Upgrade
    pass: vnxf.vn
     
    Quan tâm nhiều
    GIúp em với ạ
    GIúp em với ạ bởi ontyty, Apr 19, 2020 at 2:19 PM
    Bài viết mới
    f0rest, tpoclub and quick87 like this.
  2. xuantruong1519

    xuantruong1519 Thượng Đế

    Joined:
    Mar 14, 2018
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Gender:
    Male
    Location:
    thai binh
    thanks
     
    THB likes this.
  3. PhuongBinzz

    PhuongBinzz Thượng Đế

    Joined:
    Jul 21, 2016
    Messages:
    844
    Likes Received:
    246
    Trophy Points:
    43
    Gender:
    Male
    Occupation:
    ở đợ
    Location:
    308 Canal St New York
    Home Page:
    tưởng ra mắt xf2 bõ mặt 1 chứ :D
     
    THB likes this.
  4. cuongcongnghe

    cuongcongnghe Thượng Đế

    Joined:
    Mar 21, 2018
    Messages:
    27
    Likes Received:
    7
    Trophy Points:
    3
    Location:
    USA
    Bản chuẩn cuối của Xenforo 1 à Admin @THB để em quay về bản 1 chứ bản 2 không cài được Addons :d
     
  5. PhuongBinzz

    PhuongBinzz Thượng Đế

    Joined:
    Jul 21, 2016
    Messages:
    844
    Likes Received:
    246
    Trophy Points:
    43
    Gender:
    Male
    Occupation:
    ở đợ
    Location:
    308 Canal St New York
    Home Page:
    Haha. Xen2 khoảng 2 năm sau hã xài
     
  6. SangNTP

    SangNTP Thượng Đế

    Joined:
    Nov 4, 2015
    Messages:
    129
    Likes Received:
    57
    Trophy Points:
    28
    Gender:
    Male
    Nhờ THB update lại link được không? Mình cần bản upgrade mà link die
     
  7. boygacf

    boygacf Thượng Đế

    Joined:
    Mar 16, 2018
    Messages:
    69
    Likes Received:
    6
    Trophy Points:
    8
    Location:
    hn
    Bản này quan trọng nhất là fix cái lỗi video-js, đơn giản chỉ cần xóa file video js đi là đc
     

Share This Page