• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Another reason to not have debug mode enabled...

Liam W

Well-known member
#1
...on a live site.

It only applies if you use user upgrades. If you have debug mode enabled, someone could change the PayPal purchase URL to the sandbox, and use that to make the purchase.

If you have debug mode enabled, the purchase will validate.

Obviously obvious to see when its been done, but just putting it out there, because I'm bored.
 

rainmotorsports

Well-known member
#4
Kind of why I like to put my IP in the config to use debug mode. I think Chris D made the addon to have an enable checkbox in the admin cp. I usually reserve this for my test site but I installed in on the live site. Sometimes forget to turn it off when I am done whatever it was I was doing.
 

Adam Howard

Well-known member
#5
...on a live site.

It only applies if you use user upgrades. If you have debug mode enabled, someone could change the PayPal purchase URL to the sandbox, and use that to make the purchase.

If you have debug mode enabled, the purchase will validate.

Obviously obvious to see when its been done, but just putting it out there, because I'm bored.
@Mike Is this confirmed?
 

Mike

XenForo developer
Staff member
#6
Yes. You may be able to compromise an account by watching the queries run or at least attempt to brute force login to an account. This is one of the many reasons you should never have debug mode enabled on a production site.
 

|Jordan|

Active member
#7
Yes. You may be able to compromise an account by watching the queries run or at least attempt to brute force login to an account. This is one of the many reasons you should never have debug mode enabled on a production site.
How are we supposed to add template modifications if it should never be enabled then? Wouldn't leaving it enabled just while adding the template modifications be just as dangerous?
 

rainmotorsports

Well-known member
#8
How are we supposed to add template modifications if it should never be enabled then? Wouldn't leaving it enabled just while adding the template modifications be just as dangerous?
Template modifications technically follow plugin development mentality. On the dev board then install via XML. However just enable debug for your IP address or user via the config as a conditional.
 

Adam Howard

Well-known member
#9
How are we supposed to add template modifications if it should never be enabled then? Wouldn't leaving it enabled just while adding the template modifications be just as dangerous?
This FIX corrects that bug
http://xenforo.com/community/resources/restore-new-button-for-template-modifications.2247/

(They call it design, some call it design flaw, I call it a bug. It's more than just a design flaw, but we lack a word for in between bug and design flaw, so I revert to bug)
 

Liam W

Well-known member
#13
This whooshed over my head. What causes exposure of your paypal?
Nothing exposes it, but if you use account upgrades, and have debug mode enabled, and have a PayPal sandbox account with the same email as the main account, then all someone has to do is edit the HTML source of the user upgrade page and change the PayPal URL to the sandbox URL, and the purchase will go through and validate in XenForo.
 

|Jordan|

Active member
#14
Nothing exposes it, but if you use account upgrades, and have debug mode enabled, and have a PayPal sandbox account with the same email as the main account, then all someone has to do is edit the HTML source of the user upgrade page and change the PayPal URL to the sandbox URL, and the purchase will go through and validate in XenForo.
But wouldn't the person doing that have to be an admin? Regular users can't edit html source ... unless debug opens up far more than i think it does ...