A patch has been provided for the issue if you can't upgrade. It's a matter of replacing 1 file and, unless you've manually edited that file, I don't see what customizations that would break.
I will check out the one-file option.
Our customization needs to be redone as an addon to accept upgrades. In this case, we kicked off a big event that is bringing a lot of new members onto our site as of two hours and forty two minutes ago. They have paid a fair amount of money for the privilege, I kind of want things to go smooth, so they don't all ask for their money back. When I read the announcement on 1.5.4, last week I assumed it would be just another routine upgrade as all the others have been. Unfortunately, the extra variable is I just barely have found way, a bad way, but a way to log people into xenforo when they login to our membership site. I just did not have time to get to it sooner and when I did I had only a few hours to work on it. I do not understand how to make an addon, I only found out Monday that I need to make an addon to xenforo. I also do not understand basics of how to interact with the xenforo library. I just found out vaguely that Xenforo has innovated a Data Writer that will be part of what I need. I found an addon that is not an addon called Xenfor0 SDK that has functions that did what I need, until I installed 1.5.4. I think that SDK needs to be redone to work with the updated XF library.
I made a bad decision to not have taken a closer look at the one-file option. The announcement for 1.5.4 mentioned stealing cookies and other elements of the login process. When I saw that, I figured 1.5.4 was going to shut the door on the login through the SDK, but that could be false and finding out would be a quick.
I have a form that runs in our membership system will login to xenforo. I need it to happen invisibly in the background, not take over the interaction with the screen.. The basic requirement is to login to two systems with one signin.
I have reached the point of figuring out one thing I can do is trace the xf processing of the external login form, intercept the process when it tries hearding toward an xf page after the login has been accomplished, so I can route to where it needs to go. I have no idea yet about how to configure that into an addon and I am wondering where I can get a demo addon of a relevant nature that would give me something to start with.
Suffice to say, I wasn't going to get all that taken care of between 6pm and 5am, so disabling the profile posts and figuring that a login apparently is required for this attack, the risk of a problem is kind of low, given the nature of our membership, whereas not having a seemless transition from our membership app to xenforo is definite killer. Neither choice is the one I want to be making, but life can be like that on occasion.
We would never recommend taking any action to attempt to resolve a security issue other than what we've presented as options in the announcement. In this case, I am not going to suggest that disabling profile posts will resolve the issue.
Mike, that is very well-stated, thank you.
Is a demo of the exploit available? Any other way to get more details about exactly what the vulnerability is?