As designed Avatar URLs can be guessed

Jeremy P

Well-known member
Seems pretty tedious to fix really. If you're that concerned you can change the config flag and rename/move your data directory.

$config['externalDataPath'] = '/path/root/whatever';
Well, depends, you could use some form of salted hash, but I know that it's rather minor and not really a bug, but a consequence of the the way things work (both vBulletin and IP.B are vulnerable to this, too).
That's why I said, that it's not a bug per se.

I just thought I'd mention it, because a user on one of my projects (that is still in stealth testing, but will be deployed to a select audience) noticed during penetration testing of server and software. It may be seen as rather a drastic security issue if you have a board with, primarily, real life avatars.

Your suggestion is one way to fix this, though. I'll look into wether people can deduce that path, somehow.


XenForo developer
Staff member
I take the point, though we don't really consider avatars private. Really, this is the best approach for ease of use (from a general development perspective) and performance. You could go trawling through user IDs, though you wouldn't have info about the user to tie it with.

The suggestion of moving the external data path is likely a reasonable workaround. (Once you have access to the board, you can get basic member info and find all the avatars like that.)