During internal testing, we discovered a security issue within XenForo. The issue is known as a server-side request forgery (SSRF). This could allow an attacker to use your server to bypass your server's firewall and make internal requests. Depending on the services found, this could lead to privilege escalation or remote code execution.
This is a potentially serious issue and we strongly recommend all customers running XenForo 1.4 or older follow one of the below methods to fix this security issue.
If you are running XenForo 1.3 or older, you must upgrade to the latest 1.4 or 1.5 release to fix this issue.
If you have any questions relating to installing this patch or upgrading to the new version, please post in the Upgrade Support forum.
Method 1: Upgrade to the New Version (Recommended)
You may upgrade to XenForo 1.4.13 (or the latest version of 1.5) to fix this issue. You should upgrade as you would to any other release. If you take this approach, you should not apply the patch below.
Customers with an active license may download this version from their customer area. Full details for how to install and upgrade XenForo can be found in the XenForo Manual.
Method 2: Install the Patch (for 1.4 Users)
Download the patch zip file attached to the end of this message. It contains 3 files:
Note that with this method there is little outward indication that the patch has been applied. The only indication is that any patched file will appear to not have the correct contents in the file health check. We recommend upgrading if possible.
This is a potentially serious issue and we strongly recommend all customers running XenForo 1.4 or older follow one of the below methods to fix this security issue.
If you are running XenForo 1.3 or older, you must upgrade to the latest 1.4 or 1.5 release to fix this issue.
If you have any questions relating to installing this patch or upgrading to the new version, please post in the Upgrade Support forum.
Method 1: Upgrade to the New Version (Recommended)
You may upgrade to XenForo 1.4.13 (or the latest version of 1.5) to fix this issue. You should upgrade as you would to any other release. If you take this approach, you should not apply the patch below.
Customers with an active license may download this version from their customer area. Full details for how to install and upgrade XenForo can be found in the XenForo Manual.
Method 2: Install the Patch (for 1.4 Users)
Download the patch zip file attached to the end of this message. It contains 3 files:
- library/XenForo/Helper/Http.php
- library/XenForo/Helper/Url.php
- library/XenForo/Model/ImageProxy.php
Note that with this method there is little outward indication that the patch has been applied. The only indication is that any patched file will appear to not have the correct contents in the file health check. We recommend upgrading if possible.