Thread

While working on our own forums in preparation for the coming release of ExpressionEngine 2.1, we discovered a security issue in the Discussion Forum module.  The set of circumstances that would expose the issue is extremely rare and cannot even occur in those cases if you are running unmodified stock themes.  However, if all of the puzzle pieces are in place, it could allow users to execute certain types of code.

The good news is that we found this ourselves and it probably doesn’t affect you, but the seriousness of the issue if the perfect storm of circumstances does happen to apply to you requires that this update not be understated.  We are therefore flagging it as a required update for all users of the Discussion Forum module, both for ExpressionEngine 1.x (Forum version 2.2.0) and 2.x Public Beta (Forum version 3.1.0).

The timing is also fortuitous, as I had just recently made an optimization to the forum search queries.  A few months back a misbehaving bot was slamming our forum with searches, and the frequency combined with the complexity of the search ended up crashing MySQL.  So instead of waiting for the next feature update to benefit from this optimization, it is available as part of the current update, and should lighten some resource usage for busy forums.

You can download the latest files and documentation in your download section.

Thanks. Updated my mainsite project instantly.

http://expressionengine.com/public_beta/docs/modules/forum/forum_update_notes_3.1.0.html

you will need to edit three fields, all found in /themes/forum_themes/theme_name/theme_submission.php

Hm…. I have:

/themes/forum_themes/theme_name/forum_submission/.... and 9 files under that.

So I believe what you want in the docs is really:

/themes/forum_themes/theme_name/forum_submission/template_name.html

Or, its it nearly a full-moon on a Friday night an my brain is so far gone that I’m in the wrong section of EE?

Your brain is good, even on a Friday night, Kurt.  Looks like it was copied over from the 1.x docs and then not tweaked in that spot.  Should read:

To add this change manually, you will need to edit two files, both found in /themes/forum_themes/theme_name/forum_submission/:

Submission Form Template (submission_form.html)
and
Poll Answer Field Template (poll_answer_field.html)

Sorry for the confusion!  And it’ll be tweaked in the docs per the above.

Hi - I just saw this blog post today (I’m now subscribed) but I don’t see a security update in our download area.

Our site runs version 2.1.2 of the Discussion Forum module but the post only mentions v2.2 - does that mean this update doesn’t apply to us? Or is running 2.2 the fix?

Updating to 2.2 is the fix, Muiris.  And though it’s not related to the security issue, you’ll want to make sure you’re also running the latest version of ExpressionEngine, so that your code has parity.  Make sense?

As in 1.6.9, the latest 1.x version?

Is there much involved in upgrading from 1.6.8 to 1.6.9?

Correct, you will need to be on 1.6.9, and upgrading from 1.6.8 is very straight forward.  If you have any questions or run into problems, don’t hesitate to post to the support forums and our paid support staff would be glad to assist you.

Ah, that’s what I was looking for - couldn’t see a how-to guide anywhere.

Thanks Derek…

Derek—

Was just searching around to make sure that I have the latest version of Discussion Forum for EE 1.x installed.

Your and downloads pages still references DF v2.1 as the latest:

http://expressionengine.com/downloads/details/discussion_forum_module/

Ha, that will never do.  Thanks Peter!

I don’t know if this has anything to do with your updates to the search queries for THIS website, but I’ve noticed lately that using search through this EE forum has been quite difficult as of late.  I normally can type in just about anything and get a lot of entries to read through, but in the last few weeks I keep getting “Your Search has returned no results”.  And for simple 3-word searches too.  For example, I typed “comments new entries” without the quotes in the regular search box, and got nothing.  Really?

And sometimes if I type something in the search box and hit enter, I am just taken to the Advanced Search page, where I have to type it in again.  Sometimes entering a search in Advanced Search just blanks out what I typed in and brings up the same Advanced Search page again.

Just wanted to make you aware.

I’ve had the same bad search experience. Perhaps someone on the support team can move your post to a new thread where it might get spotted and acted on.

I’ve had the same problem for almost a year now….posted about it in various threads.
http://ellislab.com/forums/viewthread/177778/

Hopefully, a mod can split this thread and move the last couple of posts to a support of community help area.

There is no doubt that the forum search works very strangely after my upgrade(s) and move. I can’t pin it on one particular version since I upgraded and then soon after moved to a new server. Still, it basically has become useless as it often doesn’t find stuff….and sometimes only in the last “x” amount of time, even if that is not specified.

Hi all, thanks for the confirmation that I’m not crazy.  I reposted in a new thread (http://ellislab.com/forums/viewthread/201715/) and we’ll see if anyone has any ideas or fixes.  thank you!