XenForo & Cross Site Scripting Attacks

Status
Not open for further replies.
TheBigK

TheBigK

Well-known member
So we have one of our members say that xenForo is vulnerable to 'CSS' attacks. Wondering if any of the xF installs have been hacked via CSS so far?
 
It's usually XSS given that CSS already means something.

There aren't any known XSS issues - if there were, they'd be patched. The output is "escaped by default" so the potential vectors should be reduced significantly.

So yeah, examples (proof) would be needed.
 
In any case, I'll report it to the developers if something vulnerable is found with the core.
 
Well, have there been any instances of any type of hacks on xenForo installs? I don't recollect reading about any so far.
 
He's making no sense to me in his replies:

You already gave me the environment in past. So i tested it there.
And there is nothing to prove in it. Its something we cannot stop. Rather we can secure the server. its already decently secured. the thing i m talking about it is hardcore server security. Make the drive persistent. Every Server restart will make it raid free. And power backup the server in hard environment everytime. I guess you might be aware of DEEPFREEZE application for machines. Persistant drives are for the same purpose. and there is a feature in remote hosting environment which is net bridged, mainly used by website hosting companies, to block remove execution/ i.e to avoid scripting. That will patch this issue. If you want I can show it on your environment. But i already tested it there. I can give you a video of the attack if you want.
Click to expand...
 
I fail to see what point he's trying to make suggesting they need And server backup to be collected on some other place would prevent any form of XSS
 
Well, he found a bug with our CEoM app and has reported it. No serious issues so far, it seems.
 
@Mike : This is what he said through a private conversation:
CSS=>Preg Match embedded into CSRF using Levenstein obfuscated code. Its tailor made. Cant reveal more info. But the frame is decently secured. Dont worry. :) It doesnt take the machine down
Click to expand...

What does that mean? If it's meaningful, at all?
 
I personally feel that whether obfuscated or not, any form of injection will be guarded.... at least by the core. Add ons could be vulnerable though.
 
I can't say that's meaningful.

preg_match is a function that determines if text matches something. CSRF is a different type of vulnerability. Levens(h)tein is a method for determine "edit distances" for strings.

None of it really adds up. If he wants to demo something then I'm quite happy to do more investigation but he hasn't given any indication of, well, anything.
 
Status
Not open for further replies.

Similar threads

S
  • Question Question
XF 2.2 Cross site scripting and Shellcode
Replies
5
Views
711
Paul B
P
ActorMike
Fixed Jquery 3.3.1 Cross-Site Scripting Vulnerability
Replies
15
Views
7K
ActorMike
ActorMike
Falkor
Tapatalk - Cross-Site Scripting Vulnerability
Replies
10
Views
2K
D.O.A.
D.O.A.
Alpha1
  • Suggestion Suggestion
Lack of interest Cross site quoting (link to original website)
Replies
0
Views
788
Alpha1
Alpha1
Back
Top Bottom