We have just released new versions of our products:
- WoltLab Suite 5.2.6
- WoltLab Suite 3.1.14
Stability releases (also known as "minor releases") aim to solve existing problems in the current version. Like every stability release, they do not introduce new features; It is strongly recommended to apply these updates.
Recent Investigations on Compromised Communities
We have become aware that a few customer sites have been compromised in an attempt to steal user credentials. The attacker did modify a few files to capture plaintext passwords and installed a backdoor in order to regain access at a later point. This update will overwrite the files containing the malicious changes with the original versions.
Furthermore, any intercepted plaintext password was stored in the database column logToken in the table wcf1_user that was added by the attacker. This update will nullify those values by replacing them with the string compromised, account that did not have the password stolen will have an empty value.
If you have any questions or to seek advice if your site had been compromised, please get in touch with us, we'll help you.
How Did the Attacker Gain Access?
Investigations strongly indicate that the attacker gained access to the systems by logging in with an administrator's account using credentials that have been stolen previously. We cannot stress this enough: DO NOT REUSE PASSWORDS ON OTHER SITES. YOU PUT YOURSELF AND YOUR COMMUNITY AT RISK!
Performing System Updates
Open your Administration Control Panel and navigate to Configuration > Packages > List Packages. Please click on the button Search for Updates located in the right corner above the package list.
Notable Changes
The list below includes only significant changes, minor fixes or typos are generally left out.
WoltLab Suite Blog
- The detection for mentions was using an inefficient API call and now works much faster. 3.1 5.2
- Incorrect detection of numeric values in some importers. 3.1 5.2
- The react button was displayed even when the user lacked the permissions to use it. 5.2
WoltLab Suite Calendar
- Incorrect detection of numeric values in some importers. 3.1 5.2
- Some foreign keys were missing from the SQL log after an upgrade from version 3.1. 5.2
- The AMP version of the event page has been removed. 5.2
WoltLab Suite Filebase
- Editing reviews accidentally created modification log entries to be created for the file. 5.2
- The AMP version of the file page has been removed. 5.2
- Incorrect detection of numeric values in some importers. 5.2
WoltLab Suite Gallery
- Searching for images with no results yielded an incorrect error message. 3.1 5.2
- The detection for mentions was using an inefficient API call and now works much faster. 3.1 5.2
- Incorrect detection of numeric values in some importers. 3.1 5.2
WoltLab Suite Forum
- Copying forums did not preserve the flag for private threads. 3.1 5.2
- The detection for mentions was using an inefficient API call and now works much faster. 3.1 5.2
- Moderators were unable to move or copy posts into forums that are hidden from the forum list. 3.1 5.2
- Incorrect detection of numeric values in some importers. 3.1 5.2
- Copying forums did not preserve the flag for best answers. 5.2
- The AMP version of the thread page has been removed. 5.2
- Any error that occurs when creating a thread could cause the thread forms to reset on page load. 5.2
WoltLab Suite Core: Conversations
- Checking the location of a user who's an invisible participant in one's conversations would indirectly expose this participant. 3.1 5.2
- Revoking the permissions to use the conversation system did not exclude messages from search results. 3.1 5.2
WoltLab Suite Core
- Incorrect detection of numeric values in some importers. 3.1 5.2
- Editing a user with a cover photo, without having the permissions to view it, caused the cover photo to be discarded. 3.1 5.2
- Trophies could sometimes be awarded more than once. 3.1 5.2
- ImageMagick support for image processing
- Some thumbnails were created with larger than requested dimensions. 3.1 5.2
- Normalizing images based on their EXIF rotation previously did not update the orientation information. 3.1 5.2
- Writing text on it caused it to be positioned incorrectly. 3.1 5.2
- The font size of text was treated as pt, but actually expects px values (the doc at php.net is misleading). 3.1 5.2
- Scrolling a tab menu on iOS caused the items to be unresponsive for a few moments. 3.1 5.2
- Older moderation queue entries have sometimes not been removed. 3.1 5.2
- Adding keywords to the search list could fail due to a race condition. 5.2
- Descriptions of categories with HTML were improperly displayed. 5.2
- The dynamic image resizing in the browser produced damaged images due to a bug in Chrome 81. 5.2
- Prevent the quote tooltip from being selected on mobile devices. 5.2
- Replace legacy <font> elements injected by some browser. 5.2
- Improved the main menu navigation on large Android tablets. 5.2
- Sorting of trophies did not work properly when split across multiple pages. 5.2