We've had a few recent problems with old accounts being hacked for the purpose of "selling" goods (ie, scamming) in our member-to-member marketplace using these stolen identities. (The amounts are in the low thousands of dollars each, so it's serious.) Our forum has been around for 17 years...
XF 1.5.21 (and some older versions) use jQuery 1.11.0 which has a known XSS security vulnerability of medium severity. https://snyk.io/vuln/npm:jquery:20150627
I don't think conversations need to be sniffed by Google Analytics, so is there a way to exclude Google Analytics from conversation pages?
Maybe wrapping <xen:if is="{$isConversation}"> around the analytics template works, but what would the isConversation variable be?
When posting Error Reports in public forums like xenforo.com or a developers forum its unwise to post raw error reports as that will expose server details, user details and xenforo details of the website, which can be abused by hackers.
The report itself could still show the full details. but...
Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months...
I've found a minor-to-medium security issue on XenForo's default install, I've been searching for resources for responsible disclosure of this, but I haven't been able to find any. Please let me know.
It recently came to our attention that there is a potential vulnerability in FFmpeg which has the potential to be exploited via XenForo Media Gallery if you have FFmpeg features enabled (or are using any other code that uses FFmpeg).
The issue is exploitable by using a specially constructed...
Browsers like Firefox are blocking Adobe Flash and showing a security warning:
Firefox has prevented the unsafe plugin "Adobe Flash" from loading on xenforo.com
Meanwhile Facebook is calling on Adobe to kill Flash and states that its no longer a risk worth taking.
I suggest to remove Flash...
If you're running 18.0.0.203, you're fine. Anything below and you should update as soon as possible.
You can check your version here: Adobe - Flash Player
Credit to a friend of mine from another forum: Adobe Flash possibly compromised | KH-Vids | Your ultimate source for Kingdom Hearts media...
Info: http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
This issue affects anyone doing DNS lookups, including reverse DNS lookups.
XenForo explicitly does DNS lookups of IPs at registration time, and as such...