XF 1.5 'Change the default user agent on outgoing HTTP requests to indicate XenForo' email

Stuart Wright

Well-known member
Got this email today
Hello Stuart
We've seen 3 odd requests to our website www.ceoemail.com today, like this: - - [12/Jan/2017:14:18:39 +0000] "GET /s.php?id=ceo-9195 HTTP/1.0" 403 9 "-" "XenForo/1.5 (https://www.avforums.com)" - - [12/Jan/2017:14:30:23 +0000] "GET /s.php?id=ceo-9195 HTTP/1.0" 403 9 "-" "XenForo/1.5 (https://www.avforums.com)" - - [12/Jan/2017:14:33:39 +0000] "GET /s.php?id=ceo-9195 HTTP/1.0" 403 9 "-" "XenForo/1.5 (https://www.avforums.com)"

It seems that this is new behaviour, according to this posting:
<pirate site snipped>

Here's the specific change description:

"Change the default user agent on outgoing HTTP requests to indicate XenForo and the triggering installation URL."

We checked with XenForo and they said that this behaviour doesn't come from their own software but from an unlicensed pirated version.
Are you running a pirated version of the XenForo forum software?
Look forward to hearing from you.

best wishes
Marcus Williamson
Editor www.ceoemail.com

Of course, we're not running pirated software.
Any idea what this is all about? I'm clueless.
Last edited by a moderator:


XenForo moderator
Staff member
The reference to a pirated version was caused by some confusion in the initial report to us, which linked to and referenced a site which illegally makes pirated versions of XF available for download.

It's not clear why your site is making GET requests to the site in question - www.ceoemail.com - unless it's to do with link title conversion?


XenForo developer
Staff member
No. The only built in thing would be link title conversion or the image proxy systems. Bear in mind that this could happen via conversations or even just a message preview (without the message being submitted).