1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XenForo & Cross Site Scripting Attacks

Discussion in 'General XenForo Discussion and Feedback' started by TheBigK, Aug 1, 2013.

Thread Status:
Not open for further replies.
  1. TheBigK

    TheBigK Well-Known Member

    So we have one of our members say that xenForo is vulnerable to 'CSS' attacks. Wondering if any of the xF installs have been hacked via CSS so far?
     
  2. Brogan

    Brogan XenForo Moderator Staff Member

    Does the member have any proof to back up that claim?
     
  3. MattW

    MattW Well-Known Member

    Proof??
     
  4. Mike

    Mike XenForo Developer Staff Member

    It's usually XSS given that CSS already means something.

    There aren't any known XSS issues - if there were, they'd be patched. The output is "escaped by default" so the potential vectors should be reduced significantly.

    So yeah, examples (proof) would be needed.
     
    Bram and 0xym0r0n like this.
  5. MattW

    MattW Well-Known Member

  6. Rob

    Rob Well-Known Member

    Add ons are not part of the core and any platform, no matter how secure is only as secure as the addons bolted on.
     
    0xym0r0n and Adam Howard like this.
  7. TheBigK

    TheBigK Well-Known Member

  8. TheBigK

    TheBigK Well-Known Member

    In any case, I'll report it to the developers if something vulnerable is found with the core.
     
  9. Rob

    Rob Well-Known Member

    I seriously doubt it but let's see if any details come from this.
     
  10. TheBigK

    TheBigK Well-Known Member

    Well, have there been any instances of any type of hacks on xenForo installs? I don't recollect reading about any so far.
     
  11. MattW

    MattW Well-Known Member

    He's making no sense to me in his replies:

     
  12. Kevin

    Kevin Well-Known Member

    Without the person providing additional information I suspect that their real intentions are in post #3 of that thread.
     
    0xym0r0n and MattW like this.
  13. Rob

    Rob Well-Known Member

    Sorry but geeky as I am that went woooosh well over me.
     
  14. MattW

    MattW Well-Known Member

    I fail to see what point he's trying to make suggesting they need And server backup to be collected on some other place would prevent any form of XSS
     
  15. TheBigK

    TheBigK Well-Known Member

    Well, he found a bug with our CEoM app and has reported it. No serious issues so far, it seems.
     
  16. Rob

    Rob Well-Known Member

    Drivel springs to mind.....
     
    MattW likes this.
  17. TheBigK

    TheBigK Well-Known Member

    @Mike : This is what he said through a private conversation:
    What does that mean? If it's meaningful, at all?
     
  18. Rob

    Rob Well-Known Member

    I personally feel that whether obfuscated or not, any form of injection will be guarded.... at least by the core. Add ons could be vulnerable though.
     
    TheBigK likes this.
  19. Mike

    Mike XenForo Developer Staff Member

    I can't say that's meaningful.

    preg_match is a function that determines if text matches something. CSRF is a different type of vulnerability. Levens(h)tein is a method for determine "edit distances" for strings.

    None of it really adds up. If he wants to demo something then I'm quite happy to do more investigation but he hasn't given any indication of, well, anything.
     
    Rudy, ManagerJosh, Iversia and 5 others like this.
  20. MattW

    MattW Well-Known Member

    He sounds like some of the senior managers at my work dropping "buzz" words
     
Thread Status:
Not open for further replies.

Share This Page