Reply to thread

Message

Really? This is just a serious vulnerability, and well, if you understand what you are giving to a person or you really have a real team assembled. But you do not know that every person in the head and at any moment he may want to do a dirty trick. And okay, this is all the lyrics. Additions to XenForo can also contain XSS vulnerabilities and even in XenForo they are. And what will this vulnerability give us? But the fact is that XenForo contains a session identifier in the cookie and there are scripts thanks to which you can log in using the session identifier as an administrator. It is enough for the user to find the vulnerability due to which he will receive this session further and will be able to further go to the database thanks to this magic function that will open him access. When this feature is available in development or debugging mode then this will reduce the attacker's chances of gaining access.

<blockquote data-quote="kick" data-source="post: 1383045" data-attributes="member: 111096"><p>Really? This is just a serious vulnerability, and well, if you understand what you are giving to a person or you really have a real team assembled. But you do not know that every person in the head and at any moment he may want to do a dirty trick. And okay, this is all the lyrics. Additions to XenForo can also contain XSS vulnerabilities and even in XenForo they are. And what will this vulnerability give us? But the fact is that XenForo contains a session identifier in the cookie and there are scripts thanks to which you can log in using the session identifier as an administrator. It is enough for the user to find the vulnerability due to which he will receive this session further and will be able to further go to the database thanks to this magic function that will open him access. When this feature is available in development or debugging mode then this will reduce the attacker&#039;s chances of gaining access.</p></blockquote><p></p>

[QUOTE="kick, post: 1383045, member: 111096"] Really? This is just a serious vulnerability, and well, if you understand what you are giving to a person or you really have a real team assembled. But you do not know that every person in the head and at any moment he may want to do a dirty trick. And okay, this is all the lyrics. Additions to XenForo can also contain XSS vulnerabilities and even in XenForo they are. And what will this vulnerability give us? But the fact is that XenForo contains a session identifier in the cookie and there are scripts thanks to which you can log in using the session identifier as an administrator. It is enough for the user to find the vulnerability due to which he will receive this session further and will be able to further go to the database thanks to this magic function that will open him access. When this feature is available in development or debugging mode then this will reduce the attacker's chances of gaining access. [/QUOTE]

Verification

We value your privacy

We use essential cookies to make this site work, and optional cookies to enhance your experience.

See further information and configure your preferences

Accept all cookies Reject optional cookies
Essential cookies

These cookies are required to enable core functionality such as security, network management, and accessibility. You may not reject these.

Optional cookies

We deliver enhanced functionality for your browsing experience by setting these cookies. If you reject them, enhanced functionality will be unavailable.

Third-party cookies

Cookies set by third parties may be required to power functionality in conjunction with various service providers for security, analytics, performance or advertising purposes.

Detailed cookie usage

Privacy policy

Reply to thread

We value your privacy