Most importantly, this release includes a fix for a security issue that was reported to us by Julien from RCE Security. The issue was not found within XF code itself, but instead a file which we previously included with XF 1.5.x within the Video JS library. The issue is known as an "authentication phishing" exploit which involves posting a specially crafted URL pointed at the Video JS SWF file. This specially crafted URL, when clicked on or embedded in a page, can include another URL which returns a 401 response and display an authentication prompt. This authentication prompt may trick less experienced users into thinking that it is your site which is asking for authentication when in fact the authentication details entered may be submitted to the attacker instead.
To solve this problem we are including a zero-byte file which will overwrite the problematic file.
We recommend that all customers upgrade to the latest version of XF 1.5 or XF 2.0, but if you are unable to do this then you can simply delete the file which resides in the following location:
As a side note, there is potentially another exploit in some current browser versions which is similar. This involves a URL which points to a resource, such as an image, which returns a 401 response. This is an exploit which is being patched by most browser vendors. It is currently fixed in the latest stable Chrome release, and upcoming versions of Safari and Firefox. If you are concerned by such an exploit, please ensure you inform your users that a) they should be using the latest available version of their preferred browser and b) that login details should only be provided via your site's default login form.
Some of the other changes in this release include:
- In some cases, a Solve Media CAPTCHA challenge would erroneously pass if the HTML was tampered with (such as via a spam bot).
- Better support for media embeds and user mentions in the IPS Forums 4.x importer.
- Fix for missing likes on import from XF to XF.
- Improve PHP 7.x compatibility in the SMF importer.
- Add rel="canonical" to the quick navigation template to avoid indexing duplicate content.
- Security: Disable use of js/videojs/video-js.swf and remove calling it from the template.
- Recommend users upgrade to PHP 5.6 or above when installing or upgrading.
The following templates have had changes:
Please note that we are now formally recommending that you upgrade to PHP 7.2 or newer. XenForo 2.0 requires PHP 5.4 or newer. XenForo 2.1 will require PHP 5.6 or newer. If you are running a version below PHP 5.6, you will receive a warning when installing or upgrading XenForo.
This release follows our principle that third-point (x.x.X) releases should always be more stable than the preceding version, so for the most part you will not find new features in this release. Major new features will be reserved for second point versions (x.X.x).
Installation and Upgrade Instructions
Full details for how to install and upgrade XenForo can be found in the XenForo Manual.