Another reason to not have debug mode enabled...

Liam W

Liam W

in memoriam 1998-2020
...on a live site.

It only applies if you use user upgrades. If you have debug mode enabled, someone could change the PayPal purchase URL to the sandbox, and use that to make the purchase.

If you have debug mode enabled, the purchase will validate.

Obviously obvious to see when its been done, but just putting it out there, because I'm bored.
 
Kind of why I like to put my IP in the config to use debug mode. I think Chris D made the addon to have an enable checkbox in the admin cp. I usually reserve this for my test site but I installed in on the live site. Sometimes forget to turn it off when I am done whatever it was I was doing.
 
Liam W said:
...on a live site.

It only applies if you use user upgrades. If you have debug mode enabled, someone could change the PayPal purchase URL to the sandbox, and use that to make the purchase.

If you have debug mode enabled, the purchase will validate.

Obviously obvious to see when its been done, but just putting it out there, because I'm bored.
Click to expand...
@Mike Is this confirmed?
 
Yes. You may be able to compromise an account by watching the queries run or at least attempt to brute force login to an account. This is one of the many reasons you should never have debug mode enabled on a production site.
 
Mike said:
Yes. You may be able to compromise an account by watching the queries run or at least attempt to brute force login to an account. This is one of the many reasons you should never have debug mode enabled on a production site.
Click to expand...

How are we supposed to add template modifications if it should never be enabled then? Wouldn't leaving it enabled just while adding the template modifications be just as dangerous?
 
|Jordan| said:
How are we supposed to add template modifications if it should never be enabled then? Wouldn't leaving it enabled just while adding the template modifications be just as dangerous?
Click to expand...

Template modifications technically follow plugin development mentality. On the dev board then install via XML. However just enable debug for your IP address or user via the config as a conditional.
 
|Jordan| said:
How are we supposed to add template modifications if it should never be enabled then? Wouldn't leaving it enabled just while adding the template modifications be just as dangerous?
Click to expand...
This FIX corrects that bug
http://xenforo.com/community/resources/restore-new-button-for-template-modifications.2247/

(They call it design, some call it design flaw, I call it a bug. It's more than just a design flaw, but we lack a word for in between bug and design flaw, so I revert to bug)
 
|Jordan| said:
I tried that addon and the button doesn't appear for me (im using XF 1.3.2 with default style)
Click to expand...
I'd contact the developer.... I'm using the same version as you, XenForo 1.3.2 and have over 60+ add-ons without conflict.

1.webp
 
OSS 117 said:
This whooshed over my head. What causes exposure of your paypal?
Click to expand...

Nothing exposes it, but if you use account upgrades, and have debug mode enabled, and have a PayPal sandbox account with the same email as the main account, then all someone has to do is edit the HTML source of the user upgrade page and change the PayPal URL to the sandbox URL, and the purchase will go through and validate in XenForo.
 
Liam W said:
Nothing exposes it, but if you use account upgrades, and have debug mode enabled, and have a PayPal sandbox account with the same email as the main account, then all someone has to do is edit the HTML source of the user upgrade page and change the PayPal URL to the sandbox URL, and the purchase will go through and validate in XenForo.
Click to expand...

But wouldn't the person doing that have to be an admin? Regular users can't edit html source ... unless debug opens up far more than i think it does ...
 

Similar threads

Robust
Why won't debug mode enable
Replies
6
Views
1K
Robust
Robust
Back
Top Bottom