Another reason to not have debug mode enabled...

Liam W · May 5, 2014

...on a live site.

It only applies if you use user upgrades. If you have debug mode enabled, someone could change the PayPal purchase URL to the sandbox, and use that to make the purchase.

If you have debug mode enabled, the purchase will validate.

Obviously obvious to see when its been done, but just putting it out there, because I'm bored.

Rigel Kentaurus · May 5, 2014

What are the other reasons?

Liam W · May 5, 2014

Rigel Kentaurus said:
What are the other reasons?

It could have a negative performance impact...

rainmotorsports · May 5, 2014

Kind of why I like to put my IP in the config to use debug mode. I think Chris D made the addon to have an enable checkbox in the admin cp. I usually reserve this for my test site but I installed in on the live site. Sometimes forget to turn it off when I am done whatever it was I was doing.

Adam Howard · May 5, 2014

Liam W said:
...on a live site.

It only applies if you use user upgrades. If you have debug mode enabled, someone could change the PayPal purchase URL to the sandbox, and use that to make the purchase.

If you have debug mode enabled, the purchase will validate.

Obviously obvious to see when its been done, but just putting it out there, because I'm bored.

@Mike Is this confirmed?

Mike · May 6, 2014

Yes. You may be able to compromise an account by watching the queries run or at least attempt to brute force login to an account. This is one of the many reasons you should never have debug mode enabled on a production site.

|Jordan| · May 30, 2014

Mike said:
Yes. You may be able to compromise an account by watching the queries run or at least attempt to brute force login to an account. This is one of the many reasons you should never have debug mode enabled on a production site.

How are we supposed to add template modifications if it should never be enabled then? Wouldn't leaving it enabled just while adding the template modifications be just as dangerous?

rainmotorsports · May 30, 2014

|Jordan| said:
How are we supposed to add template modifications if it should never be enabled then? Wouldn't leaving it enabled just while adding the template modifications be just as dangerous?

Template modifications technically follow plugin development mentality. On the dev board then install via XML. However just enable debug for your IP address or user via the config as a conditional.

Adam Howard · May 30, 2014

|Jordan| said:
How are we supposed to add template modifications if it should never be enabled then? Wouldn't leaving it enabled just while adding the template modifications be just as dangerous?

This FIX corrects that bug
http://xenforo.com/community/resources/restore-new-button-for-template-modifications.2247/

(They call it design, some call it design flaw, I call it a bug. It's more than just a design flaw, but we lack a word for in between bug and design flaw, so I revert to bug)

|Jordan| · May 30, 2014

Adam Howard said:
This FIX corrects that bug
http://xenforo.com/community/resources/restore-new-button-for-template-modifications.2247/

(They call it design, some call it design flaw, I call it a bug. It's more than just a design flaw, but we lack a word for in between bug and design flaw, so I revert to bug)

I tried that addon and the button doesn't appear for me (im using XF 1.3.2 with default style)

OSS 117 · May 30, 2014

This whooshed over my head. What causes exposure of your paypal?

Adam Howard · May 30, 2014

|Jordan| said:
I tried that addon and the button doesn't appear for me (im using XF 1.3.2 with default style)

I'd contact the developer.... I'm using the same version as you, XenForo 1.3.2 and have over 60+ add-ons without conflict.

Liam W · May 30, 2014

OSS 117 said:
This whooshed over my head. What causes exposure of your paypal?

Nothing exposes it, but if you use account upgrades, and have debug mode enabled, and have a PayPal sandbox account with the same email as the main account, then all someone has to do is edit the HTML source of the user upgrade page and change the PayPal URL to the sandbox URL, and the purchase will go through and validate in XenForo.

|Jordan| · May 31, 2014

Liam W said:
Nothing exposes it, but if you use account upgrades, and have debug mode enabled, and have a PayPal sandbox account with the same email as the main account, then all someone has to do is edit the HTML source of the user upgrade page and change the PayPal URL to the sandbox URL, and the purchase will go through and validate in XenForo.

But wouldn't the person doing that have to be an admin? Regular users can't edit html source ... unless debug opens up far more than i think it does ...

Liam W · May 31, 2014

|Jordan| said:
But wouldn't the person doing that have to be an admin? Regular users can't edit html source ... unless debug opens up far more than i think it does ...

Chrome dev tools...

EQnoble · May 31, 2014

PHP:

if ($_SERVER['REMOTE_ADDR'] == 'YOUR.IP.ADDY.HERE'){    $config['debug'] = true;}

Problem solved?

Liam W · May 31, 2014

EQnoble said:
PHP:

if ($_SERVER['REMOTE_ADDR'] == 'YOUR.IP.ADDY.HERE'){ $config['debug'] = true;}

Problem solved?

I do that, others don't.

Another reason to not have debug mode enabled...

Liam W

in memoriam 1998-2020

Rigel Kentaurus

Well-known member

Liam W

in memoriam 1998-2020

rainmotorsports

Well-known member

Adam Howard

Well-known member

Mike

XenForo developer

|Jordan|

Active member

rainmotorsports

Well-known member

Adam Howard

Well-known member

|Jordan|

Active member

OSS 117

Well-known member

Adam Howard

Well-known member

Liam W

in memoriam 1998-2020

|Jordan|

Active member

Liam W

in memoriam 1998-2020

EQnoble

Well-known member

Liam W

in memoriam 1998-2020

Similar threads

We value your privacy