Outdated XenForo installs being targeted: keep your forum patched up to date

[lazy llama]

It looks like a group has been actively exploiting XSS vulnerabilities in older versions of XenForo (< 2.3.9).
They targeted 112 sites and defaced at least some of them.

Two of the sites affected were linux.org and FreeBSD.org, both supporting popular open source projects, which seem to be rather unfortunate targets for someone allegedly trying to get a message over.

Whoops - a Xenforo XSS vulnerability bit us!

I had upgrade xenforo on my todo list, and didn't get to it in time. Someone was able to use a new XSS vulnerability to inject code into a site widget. After many mysql queries we found it happened at about 14:06 ET. Also, did not see any exports or ability to do any exports. I played it...

www.linux.org

Forum Outage

Hi guys, sorry that the FreeBSD Forums were offline for a couple of hours. We were hit by an exploit against a slightly outdated XenForo version that we were still running. The same exploit hit quite a number of XenForo installations today, including linux.org. The FreeBSD Forums showed a...

forums.freebsd.org

 

[smallwheels]

Are these the official sites of the linux foundation (rather not) or connected to it and of BSD (with the latter it seems to be the case)? Interesting that two OS OSses use a commercial forum software. The forum at linux org is displaying ads of the most useless kind one can imagine in a way that one ask oneself if this forum is really officially connected to linux or rather some hobbyist or commercial forum and undermines trust in the forum.

 

[lazy llama]

The FreeBSD one is their "official" forum - that they use XenForo is testament to how good the software is, certainly compared to open source offerings.
Linux.org is just a hobbyist forum, not official Linux Foundation, Linux Kernel Org or anything , albeit one with a good domain name and good SEO