Some shoutbox actions do not use CSRF tokens and can be triggered by linking to them via img tags or similar. One of my users informed me of this problem. Temporary fix, remove ban/delete permissions from all users/groups or 403 the actions via the webserver.
If the viewing user has permission...
For example, email@example.com will get flagged as spam and the email verification for the account will be skipped, since it will be set for administrator approval. I noticed this because of a typo a user made when registering.
It would be best to query the whois databases directly, rather than rely on an external service for whois information.
I use host and whois for my needs.
But, RIPE does have a pretty good API which searches the other databases as well...
Someone had the bright idea to make their "about" field a giant blob of stacking diacritics, which went over the hard-coded limit of 65535 characters.
Stacking diacritics look like this, and can be posted fine when under the character limit...
Users that are marked as promoted in the log won't get doubly promoted, so if your cron was run before the promotion was properly configured this could be the cause.
You can check the promotion log ( /admin.php?user-group-promotions/manage ) to see if the selected users are considered as having...
Most users who register multiple accounts do so because they have forgotten about their old account or don't know how to operate the site.
If you're worried about users registering new accounts for malicious purposes you should consider enabling admin approval of accounts. You can then check...
It's reasonable that someone may end up liking many posts quickly.
It's not reasonable that someone may like 100 posts within a minute.
Tested on XenForo 1.1.5 without any addons enabled.
A reasonable throttle should be added to prevent something like...
Edit: On a side note, the autolinker doesn't like underscores.
Similar errors occur in many places where an array isn't expected and wouldn't happen under normal use...
The links to edit, export, and create addons are only visible on the addon list when debug mode is enabled, but they can be accessed directly and still function without debug mode.
The uninstall addon page links to the edit addon page, regardless of debug mode.
It'll do you no good if a targeted user requests a single page over HTTP, as it could be modified to send the entered username/password on the login form or cookie to an external site. The user wouldn't even be aware it happened.
Doing the method described in my original post is not good because it can lead to a hash extension attack, so disregard it completely.
Though I still believe a better method could be used to verify customers which does not put customers at the risk of impersonation.
Anyone you send it to for validation, and anyone who has access to the medium in which it is sent, not limited to the intended recipient. The token can be misused during this time until it is re-generated.
Uh, that is an unexpected development. Wonder what is being used to...
Multiple tokens can be generated for different purposes at the same time without invalidating previous tokens. None of the information needs to be stored as the server can re-generate it on its own later.
When sending your token/domain to anyone, you're fully trusting them not to misuse that...