Search results

For example, anything@gmial.com will get flagged as spam and the email verification for the account will be skipped, since it will be set for administrator approval. I noticed this because of a typo a user made when registering.

An IPv6 address with :: at the end is incorrectly displayed as a single :. ex. 2a03:2880:2050:3ff1:: is displayed as 2a03:2880:2050:3ff1:.

Someone had the bright idea to make their "about" field a giant blob of stacking diacritics, which went over the hard-coded limit of 65535 characters. Stacking diacritics look like this, and can be posted fine when under the character limit...

It's reasonable that someone may end up liking many posts quickly. It's not reasonable that someone may like 100 posts within a minute. Tested on XenForo 1.1.5 without any addons enabled. A reasonable throttle should be added to prevent something like... use warnings; use strict; use...

Example: http://xenforo.com/community/index.php?_[]=anything http://xenforo.com/community/admin.php?_[]=anything Edit: On a side note, the autolinker doesn't like underscores. Similar errors occur in many places where an array isn't expected and wouldn't happen under normal use...

The links to edit, export, and create addons are only visible on the addon list when debug mode is enabled, but they can be accessed directly and still function without debug mode. The uninstall addon page links to the edit addon page, regardless of debug mode.

The customer verification requires only a token and optionally a domain. It's up to whoever is asking for the token to keep it safe and check the domain by having a unique file uploaded. This may not always happen. If tokens are instead generated using a secret salt and a message they could...

To change the keys, you must edit library/XenForo/Captcha/ReCaptcha.php directly. It'd be nice if this could be changed in the admin settings instead, so it won't get overwritten with updates or marked as an invalid file. Doing so prevents a known attack with reCaptcha caused by using global...

Deleting my own post directly gives the error "You do not have permission to view this page or perform this action." But the delete does work: http://xenforo.com/community/threads/delete-test.48747/ Using the inline delete works without an error.

Deleting a post directly doesn't indicate the post was successfully deleted, it just reloads the delete post page which also doesn't indicate the post is already deleted. Example: http://xenforo.com/community/posts/522662/delete Perhaps this could be considered a bug, since the inline delete...

Reproduce: attempt to set multiple nodes to "Private" at the same time. This takes longer on servers with more content, so I wasn't able to reproduce it in a test environment without addons. The result was nodes that displayed as set to private in the admincp while actually being accessible by...

The uploader detects PHP's upload limit, but not the web server's limit. If the web server's file upload size limit is lower than XenForo's, it causes the uploader to just return an error "undefined." JS console produces this after a few upload progress updates: Uploaded 8060928/11290580...

XenForo currently uses sha256, or sha1 if that isn't available. Basically this: hash('sha256', hash('sha256', $password) . $salt); sha1(sha1($password) . $salt); These hashes aren't ideal for password storage because they are fast and can be cracked fast. I think XenForo should add support for...

An unused password reset code can be used at any time so long as another password reset isn't requested. Sorry if a time limit is already implemented and I missed it. Reproduce: insert into xf_user_confirmation (`user_id`, `confirmation_type`, `confirmation_key`, `confirmation_date`)...

Remembering passwords in the admin control panel causes them to be stored in plaintext on the computer. HTML5 has a new attribute for the input element called autocomplete, which tells the browser not to remember the entered value, and not to bring up previously remembered values, though it...

If a user is registering or logging in and a server error occurs during the request, the full state of the request gets sent to the error log, including the user's password. I believe this information should censored in the log to protect user privacy and confidence in security. Censoring the...

Currently I use the "banned emails" list to disallow all Microsoft emails, because they completely block our emails (doesn't even go to the spam inbox) so users will never get their confirmation email. This also means that many of our users who previously used Microsoft emails can no longer get...

Viewing an error log via AJAX causes a JSON error if the log contains certain unicode. Viewing the error directly by browsing works without error. This error occurred from someone scanning my websites for vulnerabilities, not form normal usage. \xC0\xAE and \xC0\xAF were used, which is a unicode...

css.php doesn't check user variables' data types, so passing an array for example will cause a (harmless) error. This shouldn't happen under normal usage, and doesn't appear to have any potential security concern so long as the error is caught, however, some functions may return unexpected...

Using the template search returns a list with a red X on the right. The hover text on this X is "Delete..." which is a bit confusing, since viewing modified templates from /admin.php?styles/default-style.1/templates has "Revert the customizations to this template" as the hover text, and...