1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hidden Security Feature?

Discussion in 'XenForo Pre-Sales Questions' started by a legacy reborn, Feb 21, 2011.

  1. a legacy reborn

    a legacy reborn Well-Known Member

    Hello, I was testing out some xF security standards today and guess what I came across :). When I was just finishing...I ran a perl script to check to see if it could find the admin url...well...it found it at...every possible location! Great way to hide the admincp :). Really neat hidden feature if you ask me. (Before anyone says "well legacy thats only fake security", I know...but fake is better then no security am I right? Think of any other forum software and it would probably just give you the url making it one step easier for everyone to hack a site.)
  2. Floris

    Floris Guest

    You needed a perl script to guess /admin/ and admin.php ?
  3. a legacy reborn

    a legacy reborn Well-Known Member

    No, it checks several...I think somewhere near 1 hundred I was checking to see how my site would register in it.
  4. Floris

    Floris Guest

    So it took you a 100 guesses to find admin.php?
    XenForo is Not hiding it ..

    Sorry, I don't see if there's a problem to be honest.
  5. a legacy reborn

    a legacy reborn Well-Known Member

    It's not a problem, I am sorry if my message was misunderstood...It shows that they are all valid urls, but only one really works :)

    Edit:by valid I mean it is thinking that they are admin logins...this does not happen on other forum softwares ;)
  6. Mike

    Mike XenForo Developer Staff Member

    I have to say that whatever software you're testing with is mistaken. It's probably ignoring the 404 response that we send, and just looking at the HTML that's returned (which probably has a login form in it). We direct any request for a file that doesn't exist to index.php.
    SneakyDave, Floris and Darkimmortal like this.
  7. a legacy reborn

    a legacy reborn Well-Known Member

    That'd make sense, doesn't matter though, I still like it :). Makes me feel all warm and fuzzy inside.

    Just looked at it...

    if($response->content =~ /Username/ ||
    $response->content =~ /Password/ ||
    $response->content =~ /username/ ||
    $response->content =~ /password/ ||
    $response->content =~ /USERNAME/ ||
    $response->content =~ /PASSWORD/ ||
    $response->content =~ /Senha/ ||
    $response->content =~ /senha/ ||
    $response->content =~ /Personal/ ||
    $response->content =~ /Usuario/ ||
    $response->content =~ /Clave/ ||
    $response->content =~ /Usager/ ||
    $response->content =~ /usager/ ||
    $response->content =~ /Sing/ ||
    $response->content =~ /passe/ ||
    $response->content =~ /P\/W/ ||
    $response->content =~ /Admin Password/
    I'm assuming that would pick up any login form so Mike was right ;)

Share This Page