XF 1.5 The XSS Threat Patched by 1.5.4

[Dan Allen]

For the XSS threat patched by 1.5.4, for the threat to be exploited, does the attack have to be made by using an active login. In other words, without being logged in, can the XSS threat patched by 1.5.4 be exploited?

 

[Amaury]

If you're contemplating updating or not, it's always good to have the latest version as soon as possible.

 

[Dan Allen]

If you're contemplating updating or not, it's always good to have the latest version as soon as possible.

That statement is false. Situations vary.

Do you have information that might contribute to answering the question starting this thread?

 

[Dan Allen]

The threat is via profile posts. I believe those can be disabled and when they are enabled, they require a valid login

 

[Steve F]

Not sure why you wouldn't want to upgrade, or the situation but the upgrade is a simple task. You may also apply the patch which is one file change.

 

[Dan Allen]

Not sure why you wouldn't want to upgrade, or the situation but the upgrade is a simple task. You may also apply the patch which is one file change.

Steve, Have you ever had reasons to do things that seemed odd to others? Did you like it when they insinuated you were ignorant or unwise? Do you like for people to show they assume you are competent and have considered what you were doing? Have you ever had someone show an interest in learning from your unusual actions as opposed to looking for their best angle to correct what they assume is an error? Can you imagine any reason why an enterprise might be served best by not applying a particular upgrade to software?

I know you are smart enough to hypothesize a good reason for deferring an upgrade. I bet you can suggest one if you want to. Why do you elect to take a critical stance instead? What makes you think I might not know what I am doing and that you might be the one with something to learn by my odd consideration of deferring an upgrade.

We disabled profile posts. We have time constraints and customization that is broken by this upgrade. I do not want to read another word of phony wisdom about always putting on upgrades.

I did not start this thread to obtain opinions on upgrading software. I asked a specific question and so far there has been not a single word even acknowledging the question.

 

[Mike]

The may be other areas that could potentially be exploited, though profile posts would be the main one. We would never recommend taking any action to attempt to resolve a security issue other than what we've presented as options in the announcement. In this case, I am not going to suggest that disabling profile posts will resolve the issue.

A patch has been provided for the issue if you can't upgrade. It's a matter of replacing 1 file and, unless you've manually edited that file, I don't see what customizations that would break.

 

[Dan Allen]

A patch has been provided for the issue if you can't upgrade. It's a matter of replacing 1 file and, unless you've manually edited that file, I don't see what customizations that would break.

I will check out the one-file option.

Our customization needs to be redone as an addon to accept upgrades. In this case, we kicked off a big event that is bringing a lot of new members onto our site as of two hours and forty two minutes ago. They have paid a fair amount of money for the privilege, I kind of want things to go smooth, so they don't all ask for their money back. When I read the announcement on 1.5.4, last week I assumed it would be just another routine upgrade as all the others have been. Unfortunately, the extra variable is I just barely have found way, a bad way, but a way to log people into xenforo when they login to our membership site. I just did not have time to get to it sooner and when I did I had only a few hours to work on it. I do not understand how to make an addon, I only found out Monday that I need to make an addon to xenforo. I also do not understand basics of how to interact with the xenforo library. I just found out vaguely that Xenforo has innovated a Data Writer that will be part of what I need. I found an addon that is not an addon called Xenfor0 SDK that has functions that did what I need, until I installed 1.5.4. I think that SDK needs to be redone to work with the updated XF library.

I made a bad decision to not have taken a closer look at the one-file option. The announcement for 1.5.4 mentioned stealing cookies and other elements of the login process. When I saw that, I figured 1.5.4 was going to shut the door on the login through the SDK, but that could be false and finding out would be a quick.

I have a form that runs in our membership system will login to xenforo. I need it to happen invisibly in the background, not take over the interaction with the screen.. The basic requirement is to login to two systems with one signin.

I have reached the point of figuring out one thing I can do is trace the xf processing of the external login form, intercept the process when it tries hearding toward an xf page after the login has been accomplished, so I can route to where it needs to go. I have no idea yet about how to configure that into an addon and I am wondering where I can get a demo addon of a relevant nature that would give me something to start with.

Suffice to say, I wasn't going to get all that taken care of between 6pm and 5am, so disabling the profile posts and figuring that a login apparently is required for this attack, the risk of a problem is kind of low, given the nature of our membership, whereas not having a seemless transition from our membership app to xenforo is definite killer. Neither choice is the one I want to be making, but life can be like that on occasion.

We would never recommend taking any action to attempt to resolve a security issue other than what we've presented as options in the announcement. In this case, I am not going to suggest that disabling profile posts will resolve the issue.

Mike, that is very well-stated, thank you.

Is a demo of the exploit available? Any other way to get more details about exactly what the vulnerability is?

 

[Mike]

I made a bad decision to not have taken a closer look at the one-file option. The announcement for 1.5.4 mentioned stealing cookies and other elements of the login process. When I saw that, I figured 1.5.4 was going to shut the door on the login through the SDK, but that could be false and finding out would be a quick.

Those are listed as possible effects of exploiting the issue. They are somewhat unrelated to the actual vector which is used for it. There is nothing changed in relation to the login process.

Is a demo of the exploit available? Any other way to get more details about exactly what the vulnerability is?

We won't release specifics. You can read a bit about the class of vulnerability though:

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
https://en.wikipedia.org/wiki/Cross-site_scripting

That's the concept of what it allowed without giving you the actual vector.

 

[Dan Allen]

We won't release specifics.

Thank you for answering, I should have known better than to ask for those specifics, so I am sorry for asking. I used to rationalize, "there is no good reason to keep that information locked away from customers." Later, when I was responsible for a security problem software I had provided,I saw the matter in a different light. So thank you for providing the information you did, I appreciate immensely.

I can't wait until I understand the object-oriented and other features of Xenforo, so I can get my clients work done faster and with better or best practices. Xenforo is the finest software I have ever had the chance to work with. I cannot think of a reason I won't be trying to make all my software along the lines of Xenforo once I know how