XF 2.1 XenForo 2.1.10 Patch

G

GPA-R

Active member
Hi,

Can the latest patch (2.1.10) be applied to 2.1.7 and 2.1.8? Or only if running 2.1.9?

Thanks
 
Sort by date Sort by votes
GPA-R said:
I'll be updating soon to 2.1.10 but for the time being, since I'll be needing to update addons and themes at the same time, I'll stick to the security fixes for a few more days. @ozzy47 @AddonFlare ozzy47
Click to expand...

baby forum theme xentr.net they are always up to date. Make me think Has the Snogsite spaminator plug-in been updated as well? and addonflare statistics plugin
 
Last edited:
Upvote 0 Downvote
There have already been a couple of patches that address some sort of cross site scripting vulnerability that were identified by a member exercising good faith, but wut if it were discovered by a malicious actor? Wut would deter such individual(s) from taking advantage of it and install some form of malware because of a vulnerability XF was not aware of? Is there some form of security in place to prevent these types of scripts from modifying the software before it is too late? :unsure:
 
Upvote 0 Downvote
l3ta said:
There have already been a couple of patches that address some sort of cross site scripting vulnerability that were identified by a member exercising good faith, but wut if it were discovered by a malicious actor? Wut would deter such individual(s) from taking advantage of it and install some form of malware because of a vulnerability XF was not aware of? Is there some form of security in place to prevent these types of scripts from modifying the software before it is too late? :unsure:
Click to expand...
There is no open door in xenforo.
 
Upvote 0 Downvote
l3ta said:
That we know of. Obviously there was one that got identified in time. However, I wouldn't like to only count on the goodwill of members when it comes to software vulnerabilities.
Click to expand...
If it were open, the baby forum was already history. They try to do ddos attack every day because they can't do anything
 
Upvote 0 Downvote
l3ta said:
There have already been a couple of patches that address some sort of cross site scripting vulnerability that were identified by a member exercising good faith, but wut if it were discovered by a malicious actor? Wut would deter such individual(s) from taking advantage of it and install some form of malware because of a vulnerability XF was not aware of? Is there some form of security in place to prevent these types of scripts from modifying the software before it is too late? :unsure:
Click to expand...
Well that's the very nature of any software, unfortunately. If a security issue is discovered by a bad actor then all bets are off.

XSS exploits - which are generally the most frequent type of security issue we see - if they were exploited in a bad way the worst case scenario is they'd be able to take control of an admin account by taking your cookies, though there's a few safeguards in place there.

First, if you happened to have an active Admin CP session then it likely still wouldn't work because we expire the session if your IP address changes.

Second, if there was no active Admin CP session they still wouldn't be able to log in without your username and password which is not discoverable through cookies for obvious reasons.

That's quite a nasty worse case scenario, but the good news is that the type of XSS exploits we have seen are generally very edge case and very hard to practicably exploit.

The most recent ones required very specific reproduction steps and I'd be surprised if they were practicably exploitable but of course we have to treat them with a reasonable amount of severity regardless.

So, while it is important for us to release fixes for them, and for you to apply them as soon as possible, don't necessarily assume that there's always a huge and severe risk, and ultimately don't worry too much :)
 
Upvote 0 Downvote
Exactly, there is no known deficit in xenforo. Friends are very worried. I'm not worried at all. there are attacks on the baby community every day. There were spam bots, and they can no longer come thanks to the spaminator. But there is a ddos attack every day. our lover is very much ... our attackers are people who do their job very well.

Even in the past, shared hosting took the account from the same company and killed the database. we had to continue the old backup. Then we went to the server. then we went to the Hetzner server.

If the baby forum continued as mybb, they would already be killed. The baby would die again if the forum was vbulletin. or on other systems, the baby forum would die. We bought xenforo. baby forum has been alive for 3 years.

I know many websites that die or continue their publishing life. But no XenForo Website is dead.

I know these attacks very well. I have lost 6 websites since 1995. None of this was XenForo...

I love XenForo. But from spending money on plugins. I can't invest in SEO.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Rom
  • Question Question
XF 2.1 I am on 2.1.10 Patch 2 and I want to update to 2.1.12 - is command line necessary for this small update?
Replies
2
Views
627
Rom
Rom
whyted
  • Question Question
XF 2.1 XenForo 2.1.10 Patch 2
2
Replies
20
Views
2K
Ozzy47
Ozzy47
ebikes.com
  • Solved
XF 2.2 XF 2.28 Patch with Elastic search only returning 400 pages
Replies
8
Views
507
ebikes.com
ebikes.com
maxmar628
  • Locked
Not a bug I have a proble whit [XFA] RM Marketplace 4.1.3 addon on xenforo 2.1.10
Replies
2
Views
2K
Mike
Mike
Stuart Wright
  • Question Question
XF 2.1 File healthcheck warning on 1 byte file after uprading to 2.1.10 patch 2
Replies
4
Views
601
Chris D
Chris D
Top Bottom