Search results

Some shoutbox actions do not use CSRF tokens and can be triggered by linking to them via img tags or similar. One of my users informed me of this problem. Temporary fix, remove ban/delete permissions from all users/groups or 403 the actions via the webserver. If the viewing user has permission...

For example, anything@gmial.com will get flagged as spam and the email verification for the account will be skipped, since it will be set for administrator approval. I noticed this because of a typo a user made when registering.

An IPv6 address with :: at the end is incorrectly displayed as a single :. ex. 2a03:2880:2050:3ff1:: is displayed as 2a03:2880:2050:3ff1:.

It would be best to query the whois databases directly, rather than rely on an external service for whois information. I use host and whois for my needs. But, RIPE does have a pretty good API which searches the other databases as well...

You must match against https://www.cloudflare.com/ips, since anyone can set that header. And if possible, this should be done by the webserver.

Someone had the bright idea to make their "about" field a giant blob of stacking diacritics, which went over the hard-coded limit of 65535 characters. Stacking diacritics look like this, and can be posted fine when under the character limit...

Users that are marked as promoted in the log won't get doubly promoted, so if your cron was run before the promotion was properly configured this could be the cause. You can check the promotion log ( /admin.php?user-group-promotions/manage ) to see if the selected users are considered as having...

Most users who register multiple accounts do so because they have forgotten about their old account or don't know how to operate the site. If you're worried about users registering new accounts for malicious purposes you should consider enabling admin approval of accounts. You can then check...

@Stuart Wright I believe the order there has always been wrong, same thing on XF 1.1.5.

You could do something like this: http://xenforo.com/community/threads/taigachat-pro-realtime-chat-shoutbox-paid.40821/page-25#post-478492 Or customise it to be a blacklist for user ids.

It's reasonable that someone may end up liking many posts quickly. It's not reasonable that someone may like 100 posts within a minute. Tested on XenForo 1.1.5 without any addons enabled. A reasonable throttle should be added to prevent something like... use warnings; use strict; use...

irc.xfchat.com has address 199.48.161.184 Seems to be owned by nodesdirect.com/servercomplete.com It's quite annoying that many hosts disallow IRC simply because it's associated with piracy.

Seems the fix you applied also fixed the input filter itself as strval would previously error when passing things like _xfResponseType and in cookies xf_session as an array.

Example: http://xenforo.com/community/index.php?_[]=anything http://xenforo.com/community/admin.php?_[]=anything Edit: On a side note, the autolinker doesn't like underscores. Similar errors occur in many places where an array isn't expected and wouldn't happen under normal use...

The links to edit, export, and create addons are only visible on the addon list when debug mode is enabled, but they can be accessed directly and still function without debug mode. The uninstall addon page links to the edit addon page, regardless of debug mode.

Then I misunderstood. What is your goal or reason for doing so?

It'll do you no good if a targeted user requests a single page over HTTP, as it could be modified to send the entered username/password on the login form or cookie to an external site. The user wouldn't even be aware it happened.

Doing the method described in my original post is not good because it can lead to a hash extension attack, so disregard it completely. Though I still believe a better method could be used to verify customers which does not put customers at the risk of impersonation.

Anyone you send it to for validation, and anyone who has access to the medium in which it is sent, not limited to the intended recipient. The token can be misused during this time until it is re-generated. @Adam Howard Uh, that is an unexpected development. Wonder what is being used to...

Multiple tokens can be generated for different purposes at the same time without invalidating previous tokens. None of the information needs to be stored as the server can re-generate it on its own later. When sending your token/domain to anyone, you're fully trusting them not to misuse that...