1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Possible Security Issue

Discussion in 'Troubleshooting and Problems' started by M J Austwick, Feb 21, 2016.

  1. M J Austwick

    M J Austwick New Member

    Hi,

    I moved from vB5 to Xenforo recently and it has been a huge success, but yesterday a new user posted claiming to have been randomly logged in as two different users, one of whom is a mod.

    They posted proof that they had indeed had Moderator level access, so I'm happy that they aren't just lying for fun.

    It is possible that the specific mod account may have been compromised, but I need to rule out the possibility that they are telling the truth. I'm not using any add ons other than the Media pack.

    Any thoughts?

    Oz hackedaccount.png
     
  2. ManagerJosh

    ManagerJosh Well-Known Member

    What usergroups are they a part of?
     
  3. M J Austwick

    M J Austwick New Member

    Regsisterd Users originally, now temporarily Banned.
     
  4. ManagerJosh

    ManagerJosh Well-Known Member

    You may want to audit the Registered User Group Permissions AND his individual permissions too.
     
    M J Austwick likes this.
  5. Tracy Perry

    Tracy Perry Well-Known Member

    Yep
    since a VB5 import is not in core you either did a double import or had a custom one done. if custom contact whomever did it.
    odds are its a perm/group issue.
     
    M J Austwick likes this.
  6. M J Austwick

    M J Austwick New Member

    I've checked the permissions and can't see anything out of the ordinary. Before we opened after migration we got rid of all the extra user groups that came across and reduced it down to the bare minimum.

    The user in question was newly registered, so their access isn't a throwback to the migration, we've been running for quite a while with no problems.

    My guess is it is a compromised account, but have to chekc all the options.
     
  7. Mike

    Mike XenForo Developer Staff Member

    This is almost certainly caused by incorrect caching by your host or reverse proxy. I can see this happening explicitly in the response. Your forum is returning a 304 not modified response when I make requests to load pages, which isn't something XenForo does. (We send headers that should prevent proxies from caching this, but sometimes this is ignored.)

    I can see Sucuri/Cloudproxy involved, so that's probably the first place to check
     
    M J Austwick and JulianD like this.
  8. M J Austwick

    M J Austwick New Member

    Thanks for the help, it looks like the caching was the problem and that should be resolved now.
     
  9. NeoCHI

    NeoCHI Active Member

    Sorry for necro bumping but I'm having the same issue. I just added nginx reverse proxy and expire headers to optimize my server.

    What exactly should I tell my host to do to fix this issue. I should be able to fix it without removing these features right cause I had the same setup on my old servers without a problem.
     
  10. NeoCHI

    NeoCHI Active Member

    Someone please advise. Forum members are freaking cause this is quite a serious issue.
     
  11. Mike

    Mike XenForo Developer Staff Member

    Frankly, you need to disable any proxy that is caching output from XenForo unless you specifically know it's "safe" to do so. We don't know how that cache has been setup so we can't really advise. Whoever set that up for you should be able to configure it (essentially just disable it).
     
  12. NeoCHI

    NeoCHI Active Member

    Header expire caching or nginx reverse proxy? I had bot enabled on my old server without issue though....
     
  13. NeoCHI

    NeoCHI Active Member

    My host is suggesting using litespeed instead of nginx. Will that resolve this problem?
     
  14. Mike

    Mike XenForo Developer Staff Member

    I don't know what headers you've changed, so it's hard to be definitive. If you changed the headers output from a "normal" XenForo page, then that may be a problem.

    I also don't know what you mean specifically by "Nginx reverse proxy". If you mean proxying back to Apache for PHP, that won't cause problems itself. If you're caching the proxy output though, that certainly will.

    Without knowing the specific cause, it's hard to say. If you retain some level of page caching (such as if Varnish is in use), then the underlying web server change probably won't affect the issue.
     
  15. NeoCHI

    NeoCHI Active Member

    The header expire was added by using Pre VirtualHost Include section in WHM and adding:

    # Turn on Expires and set default to 0
    ExpiresActive On
    ExpiresDefault A0

    # Set up caching on media files for 5 weeks

    ExpiresDefault A3024000
    Header append Cache-Control "public"


    # Set up caching on media files for 5 weeks

    ExpiresDefault A3024000
    Header append Cache-Control "public"


    # Set up 1 day caching on commonly updated files

    ExpiresDefault A604800
    Header append Cache-Control "proxy-revalidate"
     
    Last edited: Apr 20, 2017 at 12:52 AM
  16. NeoCHI

    NeoCHI Active Member

    Nginx is currently setup using

    ===
    https://engintron.com/
    ===

    From the plugin page, it looks like it may cache: Home » Plugins » Engintron for cPanel/WHM


    Nginx Cache/Temp Disk Usage:
    518M /tmp/engintron_dynamic
    41M /tmp/engintron_static
    4.0K /tmp/engintron_temp

    There is an option on this page to purge cache and temp files. Would you like us to do this?

    As for the way this works:
    ===
    Nginx acts as a web traffic proxy, directly serving all static assets like CSS, JS, images etc. by default, instead of Apache. This drops significantly the CPU/RAM resources consumed by Apache, leaving your server with more available resources for other tasks or, better still, with room for more websites to host.

    The way Engintron sets up Nginx inside your cPanel is a lot like how the popular CloudFlare CDN works. Nginx (like CloudFlare) directly serves all static content like CSS, JS, images etc. instead of your actual web server, thus lowering the load on your cPanel server. But unlike CloudFlare which requires that all your domains are set up with that service, you do everything inside your cPanel server. And better still? You also have an additional caching layer for when your traffic spikes, not just on one website, but entirely for your server. This additional caching layer is referred to as a "micro cache" and it only caches GET & HEAD requests (never POST requests) which means that it is possible to use it on any type of website, either a small dynamic Joomla corporate website or WordPress blog to a more complex news portal or forum or e-commerce website, that requires users to log in and handle personalized content or even generate content. Engintron's 1 second "micro cache" solution setup with Nginx is therefore ideal for any type of website and it can raise the number of concurrent requests served by your cPanel server from a few hundred per second (using just Apache) to thousands (using Nginx in front of Apache).
    ===

    So does it look like its the header expire or nginx thats causing the issue and how should I resolve this?
     
    Last edited: Apr 20, 2017 at 1:12 AM
  17. NeoCHI

    NeoCHI Active Member

    Still hoping to get an answer here.

    For now I've removed the expire headers and cleared the nginx cache.
     
  18. Mike

    Mike XenForo Developer Staff Member

  19. NeoCHI

    NeoCHI Active Member

    But isn't there a way to use caching so that it doesn't cause an issue? Do I have to use memcache?
     
  20. Mike

    Mike XenForo Developer Staff Member

    We would never recommend using a "generic" full page caching method. It has to be aware of how XenForo works (and if someone is potentially logged in). You will need to use a different approach to caching.
     

Share This Page