XF 2.0 Can server security be compromised by...

Arnox

Arnox

Active member
a rogue admin on a separate XenForo installation that is used for testing? It doesn't seem likely to me personally, but I feel I should ask anyway, just to be sure.
 
Sort by date Sort by votes
"It depends"

What level of access did the admin have? Could they upload files to the server? Whats the server config? Were there any exploitable services or modules running?
 
Upvote 0 Downvote
Slavik said:
"It depends"

What level of access did the admin have? Could they upload files to the server? Whats the server config? Were there any exploitable services or modules running?
Click to expand...

In terms of server access, they won't have any. They would be a total admin, but only on the test XF installation and nowhere else on the server. They COULD upload files to the server, but it would have to be through XF's attachments/resource management system. As to the server config, could you be more specific? And finally, how would I know if there's any exploitable services/modules running, barring making sure things are updated?

EDIT: Oh crap, I forgot. They would have access to installing add-ons. OK, so prohibit add-on access, right?
 
Upvote 0 Downvote
webbouk said:
If you've got to ask the question why continue to allow them admin level ?
Click to expand...

They don't have any admin/moderator privileges yet. But they wish to have permission to work on a separate isolated installation of XenForo for testing purposes. Furthermore, we do NOT have the budget (or literally any budget at all) to hire a sec. consultant. And that's OK. I don't expect anyone to harden my server for free at all. But I do need to know...

Is there a high risk?
 
Upvote 0 Downvote
Arnox said:
They don't have any admin/moderator privileges yet. But they wish to have permission to work on a separate isolated installation of XenForo for testing purposes. Furthermore, we do NOT have the budget (or literally any budget at all) to hire a sec. consultant. And that's OK. I don't expect anyone to harden my server for free at all. But I do need to know...

Is there a high risk?
Click to expand...
He/she needs to get skin in the game and buy their own xf license and host it up cheap themselves. Just my 2 cents.
 
Upvote 0 Downvote
Manster54 said:
He/she needs to get skin in the game and buy their own xf license and host it up cheap themselves. Just my 2 cents.
Click to expand...

Sorry for the long time to reply. The person is going to be working with me on my site. They'd just like to implement and test all proposed changes with a working viewable test installation.
 
Upvote 0 Downvote
Arnox said:
They don't have any admin/moderator privileges yet. But they wish to have permission to work on a separate isolated installation of XenForo for testing purposes
Click to expand...
Just have a separate vps server for test install - cheap hourly billed VPSes can be had at linode and digitalocean and upcloud cloud vps providers for just these kind of tasks.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

MegaPixel
Server Security
Replies
5
Views
608
MegaPixel
MegaPixel
jgas
My server has been compromised.
Replies
18
Views
2K
TPerry
TPerry
mlx
php.net server compromised and PHP 5.3.6 released
Replies
0
Views
2K
mlx
mlx
Back
Top Bottom