XF 1.5 Possible Security Issue

[M J Austwick]

Hi,

I moved from vB5 to Xenforo recently and it has been a huge success, but yesterday a new user posted claiming to have been randomly logged in as two different users, one of whom is a mod.

They posted proof that they had indeed had Moderator level access, so I'm happy that they aren't just lying for fun.

It is possible that the specific mod account may have been compromised, but I need to rule out the possibility that they are telling the truth. I'm not using any add ons other than the Media pack.

Any thoughts?

Oz

 

[ManagerJosh]

Hi,

I moved from vB5 to Xenforo recently and it has been a huge success, but yesterday a new user posted claiming to have been randomly logged in as two different users, one of whom is a mod.

They posted proof that they had indeed had Moderator level access, so I'm happy that they aren't just lying for fun.

It is possible that the specific mod account may have been compromised, but I need to rule out the possibility that they are telling the truth. I'm not using any add ons other than the Media pack.

Any thoughts?

OzView attachment 128964

What usergroups are they a part of?

 

[M J Austwick]

Regsisterd Users originally, now temporarily Banned.

 

[ManagerJosh]

Regsisterd Users originally, now temporarily Banned.

You may want to audit the Registered User Group Permissions AND his individual permissions too.

 

[TPerry]

Yep
since a VB5 import is not in core you either did a double import or had a custom one done. if custom contact whomever did it.
odds are its a perm/group issue.

 

[M J Austwick]

I've checked the permissions and can't see anything out of the ordinary. Before we opened after migration we got rid of all the extra user groups that came across and reduced it down to the bare minimum.

The user in question was newly registered, so their access isn't a throwback to the migration, we've been running for quite a while with no problems.

My guess is it is a compromised account, but have to chekc all the options.

 

[Mike]

This is almost certainly caused by incorrect caching by your host or reverse proxy. I can see this happening explicitly in the response. Your forum is returning a 304 not modified response when I make requests to load pages, which isn't something XenForo does. (We send headers that should prevent proxies from caching this, but sometimes this is ignored.)

I can see Sucuri/Cloudproxy involved, so that's probably the first place to check

 

[M J Austwick]

Thanks for the help, it looks like the caching was the problem and that should be resolved now.

 

[NeoCHI]

Sorry for necro bumping but I'm having the same issue. I just added nginx reverse proxy and expire headers to optimize my server.

What exactly should I tell my host to do to fix this issue. I should be able to fix it without removing these features right cause I had the same setup on my old servers without a problem.

 

[NeoCHI]

Someone please advise. Forum members are freaking cause this is quite a serious issue.

 

[Mike]

Frankly, you need to disable any proxy that is caching output from XenForo unless you specifically know it's "safe" to do so. We don't know how that cache has been setup so we can't really advise. Whoever set that up for you should be able to configure it (essentially just disable it).

 

[NeoCHI]

Header expire caching or nginx reverse proxy? I had bot enabled on my old server without issue though....

 

[NeoCHI]

My host is suggesting using litespeed instead of nginx. Will that resolve this problem?

 

[Mike]

Header expire caching or nginx reverse proxy?

I don't know what headers you've changed, so it's hard to be definitive. If you changed the headers output from a "normal" XenForo page, then that may be a problem.

I also don't know what you mean specifically by "Nginx reverse proxy". If you mean proxying back to Apache for PHP, that won't cause problems itself. If you're caching the proxy output though, that certainly will.

My host is suggesting using litespeed instead of nginx. Will that resolve this problem?

Without knowing the specific cause, it's hard to say. If you retain some level of page caching (such as if Varnish is in use), then the underlying web server change probably won't affect the issue.

 

[NeoCHI]

I don't know what headers you've changed, so it's hard to be definitive. If you changed the headers output from a "normal" XenForo page, then that may be a problem.

I also don't know what you mean specifically by "Nginx reverse proxy". If you mean proxying back to Apache for PHP, that won't cause problems itself. If you're caching the proxy output though, that certainly will.


Without knowing the specific cause, it's hard to say. If you retain some level of page caching (such as if Varnish is in use), then the underlying web server change probably won't affect the issue.

The header expire was added by using Pre VirtualHost Include section in WHM and adding:

# Turn on Expires and set default to 0
ExpiresActive On
ExpiresDefault A0

# Set up caching on media files for 5 weeks

ExpiresDefault A3024000
Header append Cache-Control "public"


# Set up caching on media files for 5 weeks

ExpiresDefault A3024000
Header append Cache-Control "public"


# Set up 1 day caching on commonly updated files

ExpiresDefault A604800
Header append Cache-Control "proxy-revalidate"

 

[NeoCHI]

Nginx is currently setup using

===
https://engintron.com/
===

From the plugin page, it looks like it may cache: Home » Plugins » Engintron for cPanel/WHM


Nginx Cache/Temp Disk Usage:
518M /tmp/engintron_dynamic
41M /tmp/engintron_static
4.0K /tmp/engintron_temp

There is an option on this page to purge cache and temp files. Would you like us to do this?

As for the way this works:
===
Nginx acts as a web traffic proxy, directly serving all static assets like CSS, JS, images etc. by default, instead of Apache. This drops significantly the CPU/RAM resources consumed by Apache, leaving your server with more available resources for other tasks or, better still, with room for more websites to host.

The way Engintron sets up Nginx inside your cPanel is a lot like how the popular CloudFlare CDN works. Nginx (like CloudFlare) directly serves all static content like CSS, JS, images etc. instead of your actual web server, thus lowering the load on your cPanel server. But unlike CloudFlare which requires that all your domains are set up with that service, you do everything inside your cPanel server. And better still? You also have an additional caching layer for when your traffic spikes, not just on one website, but entirely for your server. This additional caching layer is referred to as a "micro cache" and it only caches GET & HEAD requests (never POST requests) which means that it is possible to use it on any type of website, either a small dynamic Joomla corporate website or WordPress blog to a more complex news portal or forum or e-commerce website, that requires users to log in and handle personalized content or even generate content. Engintron's 1 second "micro cache" solution setup with Nginx is therefore ideal for any type of website and it can raise the number of concurrent requests served by your cPanel server from a few hundred per second (using just Apache) to thousands (using Nginx in front of Apache).
===

So does it look like its the header expire or nginx thats causing the issue and how should I resolve this?

 

[NeoCHI]

Still hoping to get an answer here.

For now I've removed the expire headers and cleared the nginx cache.

 

[Mike]

I do recall dealing with Engintron once before and there was clear evidence that caching was enabled in Nginx (https://www.nginx.com/blog/nginx-caching-guide/). Assuming that's the case here, you'd need to disable that.

 

[NeoCHI]

But isn't there a way to use caching so that it doesn't cause an issue? Do I have to use memcache?

 

[Mike]

We would never recommend using a "generic" full page caching method. It has to be aware of how XenForo works (and if someone is potentially logged in). You will need to use a different approach to caching.