1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.4 Security Alerts

Discussion in 'Troubleshooting and Problems' started by PeteyG, Nov 19, 2014.

  1. PeteyG

    PeteyG New Member

    Hi All

    I have installed Xenoforo and its running well, though after setting everything up we ran a vulnerability scanner on our site (unfortunately we have been seriously hacked in the past and left a tad paranoid), a couple of high warnings issued:

    High Alerts:
    GET /community/index.php
    -Cleartext Password over HTTP
    -solution: Passwords should never be sent over cleartext. The form should submit to an HTTPS target.

    GET /community/
    -Session Cookie Without Secure Flag
    Solution: When creating the cookie in the code, set the secure flag to true.

    Medium Alerts:

    Our php is tight, our linux server stripped down to the bare essential bones, it would be great to know we are safe with Xenforo... Does anyone else ever have problems of security, indeed any pointers on how to remedy these alerts appreciated.

    Many thanks
  2. Chris D

    Chris D XenForo Developer Staff Member

    These errors are mostly expected if your site URL begins with http:// rather than https://

    To run your site over https you will need to obtain an SSL certificate, and configure the web server to redirect non-SSL requests to SSL.
    Last edited: Nov 19, 2014
  3. PeteyG

    PeteyG New Member

  4. Chris D

    Chris D XenForo Developer Staff Member

    That appears to be a false positive. That particular example wouldn't work as a SQL injection.
  5. PeteyG

    PeteyG New Member

    Champion :)

Share This Page