• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XenForo & Cross Site Scripting Attacks

Status
Not open for further replies.

TheBigK

Well-known member
#1
So we have one of our members say that xenForo is vulnerable to 'CSS' attacks. Wondering if any of the xF installs have been hacked via CSS so far?
 

Mike

XenForo developer
Staff member
#4
It's usually XSS given that CSS already means something.

There aren't any known XSS issues - if there were, they'd be patched. The output is "escaped by default" so the potential vectors should be reduced significantly.

So yeah, examples (proof) would be needed.
 

TheBigK

Well-known member
#10
Well, have there been any instances of any type of hacks on xenForo installs? I don't recollect reading about any so far.
 

MattW

Well-known member
#11
He's making no sense to me in his replies:

You already gave me the environment in past. So i tested it there.
And there is nothing to prove in it. Its something we cannot stop. Rather we can secure the server. its already decently secured. the thing i m talking about it is hardcore server security. Make the drive persistent. Every Server restart will make it raid free. And power backup the server in hard environment everytime. I guess you might be aware of DEEPFREEZE application for machines. Persistant drives are for the same purpose. and there is a feature in remote hosting environment which is net bridged, mainly used by website hosting companies, to block remove execution/ i.e to avoid scripting. That will patch this issue. If you want I can show it on your environment. But i already tested it there. I can give you a video of the attack if you want.
 

MattW

Well-known member
#14
I fail to see what point he's trying to make suggesting they need And server backup to be collected on some other place would prevent any form of XSS
 

TheBigK

Well-known member
#17
@Mike : This is what he said through a private conversation:
CSS=>Preg Match embedded into CSRF using Levenstein obfuscated code. Its tailor made. Cant reveal more info. But the frame is decently secured. Dont worry. :) It doesnt take the machine down
What does that mean? If it's meaningful, at all?
 

Rob

Well-known member
#18
I personally feel that whether obfuscated or not, any form of injection will be guarded.... at least by the core. Add ons could be vulnerable though.
 

Mike

XenForo developer
Staff member
#19
I can't say that's meaningful.

preg_match is a function that determines if text matches something. CSRF is a different type of vulnerability. Levens(h)tein is a method for determine "edit distances" for strings.

None of it really adds up. If he wants to demo something then I'm quite happy to do more investigation but he hasn't given any indication of, well, anything.
 
Status
Not open for further replies.