security

  1. jazz_aaf

    [Jazzaaf] xenAntiVirus 1.0.0

    Description: This add-on will check new attachments for viruses and malware code using Virustotal.com's api. Features: Disable new attachments until marked clean. (on/off) Exclude File Types. Exclude User Groups. Use in Private Conversations. (on/off) Permission-based access to the report...
  2. Complete

    XF 2.0 2FA Does Not Send Email Code

    It does not send the code, the authentication app works but not the the e-mail.
  3. Alfa1

    'Copy' function to remove sensitive data(Security) and personal information (GDPR) from Server Error Report

    When you report a bug to xenforo or to a developers site, then you will often need to copy the server error report from the xenforo admin panel to the forum of the developer/xenforo. This report often contains personal information like IP address, email, username. It also contains sensitive...
  4. N

    XF 2.1 Is unmodified XenForo 2.1 safe for TLSv1.3 0-RTT?

    In particular, can we enable 0-RTT for all GET requests in core XenForo, even those with parameters? In other words, do you guarantee that all GET requests in XenForo are idempotent? (I understand that we must ourselves check all our add-ons are secure against replay attacks.) Thank you.
  5. nrep

    Add random hash to exported addon zips

    If you export an addon, it generates a zip file with a directory and filename that could easily be guessed (or known). This means that if an addon was exported on a live site, it would be possible for someone else to download without permission. Perhaps a random hash could be appended to the...
  6. C

    XF 2.0 File Health Check /install/index.php

    Hello there, So, this is the first time I have ever run into this issue. Typically I delete any install or upgrade folders from my server for security purposes. Out of the blue I get an email saying that some files were problematic. Those files are as follows: /install/index.php...
  7. WoodiE

    Password check via haveibeenpwned

    It would be great if there was an add-on for our forums that checked the users password during account creation and password change, against known breached passwords (checked against haveibeenpwned.com) and then suggests using something stronger. A website https://toepoke.co.uk/user.aspx/create...
  8. DragonByte Tech

    [DBTech] DragonByte Security 4.3.0

    DragonByte keeps a watchful eye over your forum even when you are not there, and has the capability to alert you of any suspicious activity. Uses DragonByte is the ideal product for forums that are concerned about security, or wish to be alerted when something suspicious happens. Featuring...
  9. Freelancer

    Won't fix Security Error through editor while switching Rich Text to BBCode

    Some add-ons utilize the Redactor Editor in the ACP. The following setting produces the infamous security error ("Security Error – hit back, refresh page" etc) Login to the front end as some test user* New browser tab, login to the ACP as admin* Visit add-on page with redactor text editor Click...
  10. Alfa1

    Lack of interest Error Reports without security sensitive details

    When posting Error Reports in public forums like xenforo.com or a developers forum its unwise to post raw error reports as that will expose server details, user details and xenforo details of the website, which can be abused by hackers. The report itself could still show the full details. but...
  11. Mouth

    Lack of interest Add support for Duo to two-step verification

    Duo is a well respected two-factor authentication provider. Please add support for Due to Xenforo. https://duo.com/docs/duoweb contains documentation, including GitHub php library for easy integration.
  12. Welder

    Website Security Experts Needed

    Hello, I am looking for a companies and/or individuals who are considered website security experts.... if that's what their called... I don't know, but I'm looking for some. :ROFLMAO: Okay, no seriously. I would like to hire someone who knows the in's and out's of securing a website from all...
  13. Foxtrek_64

    Add-on XenForo LDAP Authentication

    Details for this enhancement request.... Feature list (This will be updated with suggestions as people add them): Multiple Authentication Methods... Support authentication using LDAP/LDAPS, Kerberos, or local DB (LDAP/LDAPS is highly desired for compatibility with multiple platforms.)...
  14. DragonByte Tech

    [DBTech] DragonByte Security 4.0.1

    DragonByte keeps a watchful eye over your forum even when you are not there, and has the capability to alert you of any suspicious activity. Uses DragonByte is the ideal product for forums that are concerned about security, or wish to be alerted when something suspicious happens. Featuring...
  15. Foxtrek_64

    XF 1.5 xenForo Active Directory/LDAP

    Hello all, After looking around on the forums, I found this thread discussing LDAP and Active Directory. However, seeing as the thread was from 2011, I thought it better to make my own thread instead of necro-ing the other one. That being said, I am trying to use LDAP to enable Single Sign-On...
  16. nanocode

    Unmaintained [n] Template Security 1.1.0

    Enhance the security on your site using this very basic add-on. There has been a surprising increase in malicious attacks to XenForo sites through injection of malicious code into your templates. Limiting the access of all templates to yourself and a small handful may not always be a...
  17. Chris D

    Potential FFmpeg security vulnerability

    It recently came to our attention that there is a potential vulnerability in FFmpeg which has the potential to be exploited via XenForo Media Gallery if you have FFmpeg features enabled (or are using any other code that uses FFmpeg). The issue is exploitable by using a specially constructed...
  18. PumpinIron

    User complaining about not being able to login at work?

    Okay, I have a user on my forum who tells me that he can view my forum just fine (as a guest) at work, but when he tries to login to my forum he gets the following error message: He tells me that he can login just fine without any error messages from his smart phone or his home computer...
  19. Dan Allen

    XF 1.5 How Does "Stay Logged Work?"

    disregard. It works just fine
  20. Alfa1

    Alert Admin in case of unusual high login attempts

    If an attacker tries to login to many accounts, then the admin should be made aware of this. This allows the admin to take countermeasures and reevaluate security. Please consider to add a function to notify the admin of such event. It can be in the form of an email or an on-site alert or...
Top