1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Another reason to not have debug mode enabled...

Discussion in 'Off Topic' started by Liam W, May 5, 2014.

  1. Liam W

    Liam W Well-Known Member

    ...on a live site.

    It only applies if you use user upgrades. If you have debug mode enabled, someone could change the PayPal purchase URL to the sandbox, and use that to make the purchase.

    If you have debug mode enabled, the purchase will validate.

    Obviously obvious to see when its been done, but just putting it out there, because I'm bored.
     
  2. Rigel Kentaurus

    Rigel Kentaurus Well-Known Member

    What are the other reasons? :)
     
  3. Liam W

    Liam W Well-Known Member

    It could have a negative performance impact...
     
  4. rainmotorsports

    rainmotorsports Well-Known Member

    Kind of why I like to put my IP in the config to use debug mode. I think Chris D made the addon to have an enable checkbox in the admin cp. I usually reserve this for my test site but I installed in on the live site. Sometimes forget to turn it off when I am done whatever it was I was doing.
     
  5. Adam Howard

    Adam Howard Well-Known Member

    @Mike Is this confirmed?
     
  6. Mike

    Mike XenForo Developer Staff Member

    Yes. You may be able to compromise an account by watching the queries run or at least attempt to brute force login to an account. This is one of the many reasons you should never have debug mode enabled on a production site.
     
    Adam Howard likes this.
  7. |Jordan|

    |Jordan| Active Member

    How are we supposed to add template modifications if it should never be enabled then? Wouldn't leaving it enabled just while adding the template modifications be just as dangerous?
     
    Adam Howard likes this.
  8. rainmotorsports

    rainmotorsports Well-Known Member

    Template modifications technically follow plugin development mentality. On the dev board then install via XML. However just enable debug for your IP address or user via the config as a conditional.
     
  9. Adam Howard

    Adam Howard Well-Known Member

    This FIX corrects that bug
    http://xenforo.com/community/resources/restore-new-button-for-template-modifications.2247/

    (They call it design, some call it design flaw, I call it a bug. It's more than just a design flaw, but we lack a word for in between bug and design flaw, so I revert to bug)
     
  10. |Jordan|

    |Jordan| Active Member

  11. OSS 117

    OSS 117 Well-Known Member

    This whooshed over my head. What causes exposure of your paypal?
     
  12. Adam Howard

    Adam Howard Well-Known Member

    I'd contact the developer.... I'm using the same version as you, XenForo 1.3.2 and have over 60+ add-ons without conflict.

    1.png
     
  13. Liam W

    Liam W Well-Known Member

    Nothing exposes it, but if you use account upgrades, and have debug mode enabled, and have a PayPal sandbox account with the same email as the main account, then all someone has to do is edit the HTML source of the user upgrade page and change the PayPal URL to the sandbox URL, and the purchase will go through and validate in XenForo.
     
  14. |Jordan|

    |Jordan| Active Member

    But wouldn't the person doing that have to be an admin? Regular users can't edit html source ... unless debug opens up far more than i think it does ...
     
  15. Liam W

    Liam W Well-Known Member

    Chrome dev tools...
     
  16. EQnoble

    EQnoble Well-Known Member

    PHP:
    if ($_SERVER['REMOTE_ADDR'] == 'YOUR.IP.ADDY.HERE'){    $config['debug'] = true;}
    Problem solved?
     
    |Jordan| and AndyB like this.
  17. Liam W

    Liam W Well-Known Member

    I do that, others don't.
     

Share This Page