security

It would be great if there was an add-on for our forums that checked the users password during account creation and password change, against known breached passwords (checked against haveibeenpwned.com) and then suggests using something stronger. A website https://toepoke.co.uk/user.aspx/create...

DragonByte keeps a watchful eye over your forum even when you are not there, and has the capability to alert you of any suspicious activity. Uses DragonByte is the ideal product for forums that are concerned about security, or wish to be alerted when something suspicious happens. Featuring...

Some add-ons utilize the Redactor Editor in the ACP. The following setting produces the infamous security error ("Security Error – hit back, refresh page" etc) Login to the front end as some test user* New browser tab, login to the ACP as admin* Visit add-on page with redactor text editor Click...

When posting Error Reports in public forums like xenforo.com or a developers forum its unwise to post raw error reports as that will expose server details, user details and xenforo details of the website, which can be abused by hackers. The report itself could still show the full details. but...

Duo is a well respected two-factor authentication provider. Please add support for Due to Xenforo. https://duo.com/docs/duoweb contains documentation, including GitHub php library for easy integration.

Hello, I am looking for a companies and/or individuals who are considered website security experts.... if that's what their called... I don't know, but I'm looking for some. :ROFLMAO: Okay, no seriously. I would like to hire someone who knows the in's and out's of securing a website from all...

Details for this enhancement request.... Feature list (This will be updated with suggestions as people add them): Multiple Authentication Methods... Support authentication using LDAP/LDAPS, Kerberos, or local DB (LDAP/LDAPS is highly desired for compatibility with multiple platforms.)...

DragonByte keeps a watchful eye over your forum even when you are not there, and has the capability to alert you of any suspicious activity. Uses DragonByte is the ideal product for forums that are concerned about security, or wish to be alerted when something suspicious happens. Featuring...

Hello all, After looking around on the forums, I found this thread discussing LDAP and Active Directory. However, seeing as the thread was from 2011, I thought it better to make my own thread instead of necro-ing the other one. That being said, I am trying to use LDAP to enable Single Sign-On...

Enhance the security on your site using this very basic add-on. There has been a surprising increase in malicious attacks to XenForo sites through injection of malicious code into your templates. Limiting the access of all templates to yourself and a small handful may not always be a...

It recently came to our attention that there is a potential vulnerability in FFmpeg which has the potential to be exploited via XenForo Media Gallery if you have FFmpeg features enabled (or are using any other code that uses FFmpeg). The issue is exploitable by using a specially constructed...

Okay, I have a user on my forum who tells me that he can view my forum just fine (as a guest) at work, but when he tries to login to my forum he gets the following error message: He tells me that he can login just fine without any error messages from his smart phone or his home computer...

disregard. It works just fine

If an attacker tries to login to many accounts, then the admin should be made aware of this. This allows the admin to take countermeasures and reevaluate security. Please consider to add a function to notify the admin of such event. It can be in the form of an email or an on-site alert or...

The registration form has a username validation function. it seems this can be abused by attackers to find out what accounts are present on the site. The attacker can run a script to try millions of possible usernames to get a member list. I have recently encountered such attack on my vbulletin...

You may be aware of services like Amazon Mechanical Turk or Microworkers. These are crowdsourcing services that allow vendors to pay small amounts of money for the completion of tasks. These tasks often range from things like helping Google and Bing rank search results (human experience), and...

I think having to re-authenticate every 30 days is a bit of a hassle, personally. Large services like Google and Facebook don't make me re-authenticate every 30 days, they permanently remember the browser unless cookies are cleared. Having the option to adjust the 30 day period to be longer...

Let's take the following scenario: An attacker has gained access to the users password and one of these requirements: he has access to the device where the user selected 'remember this device for 30 days' or he can somehow bypass the login 2FA, because the user has selected 'remember this...

Hello, I am currently working on developing a security and risk assessment service called Trust+, and I intend to release an add-on for Xenforo which utilizes the service. Trust+ will be launched with the following features; The ability to intelligently detect and block disposable email...

This resource has been replaced by the Trust+ Risk Analysis system.