Posts by Alexander Ebert

    Hello,


    Removing the @ is not an option, we're relying on the side effect of include*() that implicitly checks for the existence of the requested file. Running an explicit check via file_exists() or is_readable() is quite expensive at this point, because PHP tends to skip the statcache under certain circumstances. This has a significant performance penalty for sites running on cheaper webhosting offers that still make use of "spinning rust" (HDD).


    The original issue can be easily avoided by using a proper IDE with static code analysis (for example, Visual Studio Code would do) that will report these kind of issues ahead of time.


    We're not going to make any changes at this time, because the drawbacks of such a change are too severe with little to no benefit on average. Furthermore, this is not a bug, because the code does exactly what is was purposely instructed to do.

    Hello,


    Actually, you can do both. This specific section of the forum is configured to allow replies only to threads that you have started, with the exception of staff members.


    There is also another feature called "Private Forum" that works similar, but with the difference that threads are only visible to the starter and select user groups (such as staff members). You can try it out in this section which operates in this mode: Private Test Forum.

    We have just released an update for the package "WoltLab Suite Core: Conversations" that addresses one major and one minor issue.

    Abuse of Conversations for the Purpose of Sending Spam

    We have become aware of a sophisticated bot that specifically targets the conversation system of our software in an attempt to mass send messages to registered users. The attack pattern consists of two phases, in the first phase the members list is scraped to collect the list of usernames. The second phase involves the start of a new conversation with each user previously found in the first phase, with the advertisement placed in the start message. The bot has also been programmed to immediately leave the conversations in an effort to circumvent the limit of the number of active conversations per user.


    Following these events, we have implemented a new restriction in order to mitigate this kind of attack and to prevent further abuses in that direction. WoltLab Suite 3.0, 3.1 and 5.2 just received an update to the conversation system that limits the number of started conversations within a rolling 24 hour period. The default value enforces a limit of 10 for regular users, administrators are not restricted by this new permission.


    Site owners can adjust the limits per user group, with the special value -1 used to remove the limit entirely for select user groups. The permission is named Maximum Number of Started Conversations per 24 Hours.

    Minor Issue: Potential Leak of Invisible Participants of Conversations

    This update also resolves an issue that allowed to indirectly probe for hidden participants by abusing the participant filter in the conversation list and comparing the result to the actual participant list. We have resolved this issue and have also identified a potential performance bottleneck that has been fixed too.

    Hello,


    CMS pages themselves only offer distinct URLs per language, because having the same page appearing in different languages does confuse search engines. It will cause them to index the page in one language on one day and in the other language on the other day, a true nightmare. We strongly recommend using CMS pages with different URLs per language.


    However, system type pages can make use of phrases and thus present different translations based on the interface language while still using the same URL. This is not possible through the UI itself, but must be hand crafted by writing a plugin.

    We have just released new versions of our products:

    • WoltLab Suite 5.2.5
    • WoltLab Suite 3.1.13
    • WoltLab Suite 3.0.24


    Stability releases (also known as "minor releases") aim to solve existing problems in the current version. Like every stability release, they do not introduce new features; It is strongly recommended to apply these updates.

    Users Sending Emails to Users

    The software contains a legacy feature that enables users (and if configured, also guests) to send emails to other users. This feature has little use today, but is more often than not overlooked by administrators, especially those migrating from previous versions. The form uses a dedicated group permissions that was enabled by default in previous versions and was often left unchanged.


    It has come to our attention that attackers take advantage of this feature and actively abused it to send out spam emails to other users. We've taken two steps to mitigate this issue to some extent:

    1. Force revoked the group permissions to use this form. Site owner can grant the permissions again at their own discrection, although we strongly advise against this.
    2. The captcha protection of the mail form was previously enabled for guest access only and is now enforced for users alike. This is the first form to enforce the captcha for logged-in users too.

    This change has previously been applied to the 5.2 series and is now in full effect for the entire WoltLab Suite 3.x series.

    Performing System Updates

    Open your Administration Control Panel and navigate to Configuration > Packages > List Packages. Please click on the button Search for Updates located in the right corner above the package list.

    Notable Changes

    The list below includes only significant changes, minor fixes or typos are generally left out.

    WoltLab Suite Blog

    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 3.1

    WoltLab Suite Calendar

    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 3.1

    WoltLab Suite Filebase

    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 3.1
    • File owners were unable to delete responses to reviews despire having the permissions. 5.2

    WoltLab Suite Gallery

    • The list of deleted images raised an exception when viewed by guests. 3.0 3.1
    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 3.1

    WoltLab Suite Forum

    • Attempting to move a thread raised an exception in PHP 7.4. 5.0 5.1
    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 5.1 5.2

    WoltLab Suite Core: Conversations

    • Resolved an issue when replying to conversations when one or more participants were deleted. 3.0 3.1
    • The import from vBulletin could fail due to an incorrect recognition of numeric values. 3.0 3.1 5.2

    WoltLab Suite Core

    • Resolved two compatibility issues with PHP 7.4. 3.0 3.1
    • Reading articles yielded an incorrect location in the users online list. 3.0 3.1 5.2
    • Requests dispatched through HTTPRequest would not apply the timeout value to the stream itself. 3.0 3.1 5.2
    • Improved the behavior of the mobile message UI. 3.1
    • Optimized the processing speed of messages with excessive amounts of HTML nodes. 3.1 5.2
    • An incorrect sort direction caused packages installed via the package server to sometimes favor older versions over newer ones. 3.1 5.2
    • Removed the compatibility check for the API versions. 3.1
    • Overly restrictive permission checks for non owner groups. 5.2

    Hello,


    Each concurrent request hitting your site consumes one connection to the database server. If you have a larger number of concurrent visitors or make use of plugins that dispatch a large number of requests, then it could happen that there are too many in-flight requests, consuming all connections granted by your webhost. This can be even worse on slower hosts, because the longer it takes to process a request, the longer this connection slot is taken up.

    We have just released new versions of our products:

    • WoltLab Suite 5.2.4


    Stability releases (also known as "minor releases") aim to solve existing problems in the current version. Like every stability release, they do not introduce new features; It is strongly recommended to apply these updates.

    Users Sending Emails to Users

    The software contains a legacy feature that enables users (and if configured, also guests) to send emails to other users. This feature has little use today, but is more often than not overlooked by administrators, especially those migrating from previous versions. The form uses a dedicated group permissions that was enabled by default in previous versions and was often left unchanged.


    It has come to our attention that attackers take advantage of this feature and actively abused it to send out spam emails to other users. We've taken two steps to mitigate this issue to some extent:

    1. Force revoked the group permissions to use this form. Site owner can grant the permissions again at their own discrection, although we strongly advise against this.
    2. The captcha protection of the mail form was previously enabled for guest access only and is now enforced for users alike. This is the first form to enforce the captcha for logged-in users too.

    For Developers: Changes to the HTML Markup For .contentItemLink

    The new .contentItemList was introduced as a generic implementation for content pieces that rely on teaser images. However, the DOM is somewhat flawed by expecting a link to wrap around the whole content section, which easily collides with certain content elments.

    HTML
    <a href="…" class="contentItemLink">
    <!-- content -->
    </a>

    Should be changed into:

    HTML
    <div class="contentItemLink">
    <!-- content -->
    <a href="…" class="contentItemLinkShadow"></a>
    </div>

    The CSS remains unaffected, causing no visual change if the old DOM is continued to be used, preserving compatibility with existing implementations. The changes to the CSS is fully backwards compatible, however, we strongly encourage developers to adopt these changes as soon as possible.


    https://github.com/WoltLab/WCF/issues/3189

    Performing System Updates

    Open your Administration Control Panel and navigate to Configuration > Packages > List Packages. Please click on the button Search for Updates located in the right corner above the package list.

    Notable Changes

    The list below includes only significant changes, minor fixes or typos are generally left out.

    WoltLab Suite Blog

    • The generated HTML for the article preview was invalid, causing some parts of the preview to not respond to clicks. 5.2
    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 5.2
    • The list of articles by tag did not support multiple result pages. 5.2
    • New template event in the header section of articles. 5.2

    WoltLab Suite Calendar

    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 5.2
    • The list of events by tag did not support multiple result pages. 5.2

    WoltLab Suite Filebase

    • Custom input fields of type boolean could not be enabled due to a collision of the HTML id. 5.2
    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 5.2
    • The list of files by tag did not support multiple result pages. 5.2

    WoltLab Suite Gallery

    • The list of deleted images raised an exception when viewed by guests. 5.2
    • Pages excluded from access by search engines were incorrectly listed in the sitemap. 5.2
    • The list of albums and images by tag did not support multiple result pages. 5.2

    WoltLab Suite Forum

    • Attempting to move a thread raised an exception in PHP 7.4. 5.2
    • Incorrect handling of empty threads in the AMP view. 5.2
    • The list of threads by tag did not support multiple result pages. 5.2

    WoltLab Suite Core: Conversations

    • Resolved an issue when replying to conversations when one or more participants were deleted. 5.2

    WoltLab Suite Core: Importers

    • XenForo 2.x
      • Support for pixel based font sizes and the support for the rgb() format for colors. 5.2
      • Support for additional meta data used with embedded attachments. 5.2
    • WoltLab Suite 3.x, 5.x
      • Incorrect recognition of categories for imported media. 5.2

    WoltLab Suite Core

    • Resolved two compatibility issues with PHP 7.4. 5.2
    • New template events in the message sidebar in the rank section. 5.2
    • The form to add new phrases sometimes failed the validation of the selected category. 5.2
    • Incorrect prompt for i18n articles when attempting to create an article on the category list. 5.2
    • Collision of the mobile UI for messages on screen widths between 768 and 1024 px. 5.2
    • Improved main menu on oversized tablets that exceed 1024 px screen width. 5.2
    • Improved the display of code boxes in the AMP view. 5.2
    • The generated HTML for the article preview was invalid, causing some parts of the preview to not respond to clicks. 5.2

    but I'm curious about the reason it stops with error.

    The screenshot shows a big red cross, which indicates that an error occurred. It should have displayed a proper on-screen error message, but possibly this was network related and there was no actual error message.


    You could try opening the developer tools of your browser (Windows: F12) and open the "Network" tab. Then navigate to the sitemaps, start the rebuild process and wait for it to finish. If it fails again and there is no error message, look at the results in the "Network" tab, there should be a failed request marked in red. Clicking on it reveals some useful status information of what has happened in the background, possibly revealing the root cause.

    Hello,


    That's super easy with some basic CSS. Edit your box and enter something in the field CSS Class Name, for example, boxWithoutPadding. Now, head over to "Customization > Global CSS and SCSS" and append the following code at the end of the input area:

    CSS
    .boxesSidebarLeft .box:not(.boxBorderless).boxWithoutPadding, .boxesSidebarRight .box:not(.boxBorderless).boxWithoutPadding {
        padding: 0;
    }

    Third Party Package Servers Provided by (Optional) Packages

    In recent years, we have seen an increasing number of incidents involving third-party package servers, focusing on packages offered in the Plugin-Store.


    In the interest of our customers, we have decided not to approve any new packages or updates that directly or indirectly (e.g. via optional packages) install third-party package servers. This explicitly only affects packages in the plugin store, there is no technical change in the core, it is still possible to create package servers via third-party packages or by manually adding them.


    In this context, and in the interests of transparency, we would like to explain the primary reasons for our decision in the following.

    Lack of Necessity for Products in the Plugin-Store

    For extensions and styles from the plugin store, there is absolutely no need to install third-party package servers, because all updates are delivered directly from the Plugin-Store as soon as they are reviewed.

    Distribution of Non-audited Updates

    Some third-party vendors release updates for packages directly as soon as they are available and do not wait for the review in the plugin store. This is problematic because the final review of each new package and each update is done manually by a WoltLab GmbH employee.


    On average, every third update is rejected at the first attempt due to substantial defects. Early delivery via third-party package servers undermines this review, which aims to reduce both security and stability issues.

    Collision with Commercially Offered Products

    A special case is the premature release of updates, where the product is offered both in the Plugin-Store and directly by the third-party vendor. This can lead to conflicts if no access data has been stored for the third-party vendor's package server and updates are therefore offered before they are published in the Plugin-Store.

    Security Concerns Regarding Unaudited Packages and Updates

    The strength of the package system is also one of the biggest weak spots, because extensions can make almost arbitrary changes, up to the execution of security-critical malicious code. This is made more difficult by the fact that package servers can offer updates for almost any package for download, the only exception being our products, which can only be delivered via the official package servers.


    Unfortunately, incidents have occurred in which websites of third-party vendors have become the target of attacks, with both takeovers at the DNS level, i.e. the domains pointing to a foreign server, and the direct compromise of the server systems. This also means that an attacker gains control over the packet servers of these providers and can exploit them to deliver malicious code almost without being noticed. A look beyond the horizon reveals that this is by no means a fictitious scenario, but rather a recurring threat, for example with NPM or various Linux distributions, which could often only be prevented by a high level of protection.

    Compatibility with the WoltLab Cloud

    We will soon start to review extensions and styles in the Plugin-Store for compatibility with the WoltLab Cloud. Entries that pass this test will be marked by us; we do not plan to use some kind of "negative marking" at this time.


    The criteria for determining compatibility are as follows:

    1. Compatibility with WoltLab Suite 5.2.
    2. Outgoing HTTP(S) connections consistently rely on the HTTPRequest class or handle the proxy configuration correctly.
    3. No outgoing connections to other TCP or UDP ports.
    4. No mass sending of emails.
    5. No overlapping with privileges that are subject to restrictions in the context of a managed service, such as direct database administration.
    6. Packages that install third-party packet servers are generally excluded.

    These criteria are already met by the vast majority of packages, so no significant restrictions are to be expected.

    We have just released new versions of our products:

    • WoltLab Suite 5.2.3
    • WoltLab Suite 3.1.12
    • WoltLab Suite 3.0.23


    Stability releases (also known as "minor releases") aim to solve existing problems in the current version. Like every stability release, they do not introduce new features; It is strongly recommended to apply these updates.

    Performing System Updates

    Open your Administration Control Panel and navigate to Configuration > Packages > List Packages. Please click on the button Search for Updates located in the right corner above the package list.

    Compatibility with PHP 7.4

    This update introduces compatibility with PHP 7.4 for the WoltLab Suite 3.0.x and 3.1.x series.

    Notable Changes

    The list below includes only significant changes, minor fixes or typos are generally left out. Some changes have been applied in 3.1 or 5.2 in earlier updates and are not listed separately.

    WoltLab Suite Blog

    • Compatibility with PHP 7.4. 3.1 3.0
    • Improper encoding of values yielded incorrect data for enriched search results. 3.1

    WoltLab Suite Calendar

    • Imported events use the custom location name if the imported event from iCal does not expose coordinates. 5.2
    • The end data was sometimes uneditable. 3.1 3.0
    • Greatly increased the range for the maximum number of repeated event dates. 3.0
    • Skip invalid dates in imported iCal exports. 3.0

    WoltLab Suite Filebase

    • Custom boolean options did not show their value if the user selected "no". 5.2

    WoltLab Suite Gallery

    • The generated HTML of the album and image bbcode was sometimes invalid. 5.2
    • Watermarks have been incorrectly applied to thumbnails of video links. 3.1
    • The page location was incorrect for nested categories. 3.1 3.0
    • An incorrect number of images were reported inside the album bbcode. 3.1 3.0

    WoltLab Suite Forum

    • Empty RSS feeds could raise an exception. 5.2
    • Moved the reaction button on mobile devices back into the message menu due to several incompatibilities. 5.2
    • Threads could be hidden from the thread list if the thread starter is a guest and the current user blocks other users. 5.2
    • Custom boolean options did not show their value if the user selected "no". 5.2
    • The list of unresolved threads yielded inaccurate results for guests. 3.1
    • Incorrect logging of threads that are moved to the trash bin. 3.0
    • External links could break the user group permission form. 3.0

    WoltLab Suite Core: Conversations

    • Incorrect update of usernames when merging a user with another. 3.0
    • Leaving a draft conversation yielded an error. 5.2 3.1 3.0

    WoltLab Suite Core: Importers

    • SMF 2.x
      • Added support for legacy attachment filenames. 3.0
    • MyBB 1.x
      • Incorrect recognition of quotation marks inside font bbcodes. 3.1 3.0
    • vBulletin 5.x
      • Broader support for different [attach] types. 3.1
      • BBCodes in signatures had not been converted. 3.1
      • Improved the support for pixel based font sizes. 3.1

    WoltLab Suite Core

    • Improved the compatibility with code that relies on legacy message handling. 5.2
    • The system check now validates the availibility of graphics processing libraries. 5.2
    • Improved the styling of messages for Google AMP. 5.2
    • Backspacing the empty editor in iOS Safari yielded unexpected HTML. 5.2
    • The number of pending notification and the favicon where sometimes not updated when the browser tab is running in the background. 5.2
    • Mentioning a user group would yield only a single notification. 5.2
    • Improved the reaction UI for large touch devices (iPad Pro 12.9"). 5.2
    • Chromium based browsers did not properly outdent nested lists in the editor. 5.2
    • The upgrade from 3.1 to 5.2 failed in MySQL >= 8.0.19. 5.2
    • Adding or editing users could silently fail due to validation errors in the signature text. 3.1
    • Converting text lines into code in the WYSIWYG editor using Firefox could cause extra blank lines. 3.1
    • User mentiones had a trailing whitespace that caused a small gap between mentiones and the adjacent text. 3.1
    • Compatibility with PHP 7.4. 3.1 3.0
    • The Facebook login no longer requests legacy scopes that could cause issues. 3.0
    • Upgraded the GitHub login due to changes to their API endpoints. 5.2 3.1 3.0
    • Resizing the browser window would not always rebuild the dimensions of a dialog. 3.0
    • Rebuilding users could causes issues with signatures from newly registered users. 3.0
    • Reject access tokens of banned users. 3.1 3.0
    • HTML entities were encoded twice in the anchor links of the user profile tabs. 3.1 3.0
    • Error logs would sometimes be removed after a delay due to an incorrect time comparison. 5.2 3.1 3.0