XenForo & Cross Site Scripting Attacks

[Rob]

Sounds to me like a case of longwordsmakemelookclever-aholicness.

 

[Slavik]

All I can think of is this...

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

 

[Rob]

Lmao

 

[TheBigK]

I can't say that's meaningful.

preg_match is a function that determines if text matches something. CSRF is a different type of vulnerability. Levens(h)tein is a method for determine "edit distances" for strings.

None of it really adds up. If he wants to demo something then I'm quite happy to do more investigation but he hasn't given any indication of, well, anything.

Well, he's not ready to prove anything. So far he's reported a bug with one of the addons on the site, and that too is not critical.

This is getting all 'Dilbertish'.

 

[MattW]

Well according this his post, he's gained access to your server

I do some script and I can intrude in the server. Not only this but the other website which is your sibling on the hosting server. So its not a matter of report. You cannot manually fix it. On other hand, we can deploy a solution.

 

[Rob]

Is this by any chance a host trying to upsell?

 

[TheBigK]

Well according this his post, he's gained access to your server

Nope he was to develop an add-on for us. I shared our test environment with him. I doubt he's access to the live server.

Is this by any chance a host trying to upsell?

Nope.

 

[Chris D]

I would steer clear of him.

Something doesn't quite add up and I'm highly suspicious of him.

He's either:

a) Genuinely found something and wants money from you to fix it (seems unlikely as nothing he has said has made any sort of sense to anyone)
b) Not found anything, and trying to con you into access to your server or money to fix a problem that doesn't exist.
or
c) Someone who thinks he knows what he's talking about... but doesn't.

I'd steer well clear, if I were you.

 

[MattW]

Nope he was to develop an add-on for us. I shared our test environment with him. I doubt he's access to the live server.

In that case then, I've no clue what he's rambling on about

 

[Brent W]

I'd ban him if he doesn't want to be 100% upfront with you about a vulnerability he found on your website. Sounds like a douche.

 

[CTXMedia]

The mention of money / cost to deploy a solution makes me thing he's phishing for a payout.

 

[TimeWizardCosmo]

I say have some fun with the idiot. He thinks he has you on the hook, make him jump through a bunch of weird hoops 419 Eater style.

 

[Adam Howard]

Ah, the sweet or not so sweet smell of ********

I'm calling your "hackers" bluff and welcome him / her to have a go at my site if he / she thinks they've found anything directly related to XenForo.

Reading from his post... I'd say he's either all hot air, is fishing for something, or if any vulnerability has been found (unlikely from the way he or she is speaking) it would likely be an add-on or server side.

But overall, I stand by my original comment.... BS and nothing more.

 

[Paul B]

Ah, the sweet or not so sweet smell of ********

As per rule 1:

Please do not attempt to circumvent the censoring options we have set up.

http://xenforo.com/community/help/terms

I have edited your post accordingly.

 

[Ryan_]

Did anyone else laugh when he called it a CSS attack instead of an XSS attack?

 

[Chris D]

Hey... CSS attacks are no joke.

You can have someone's eye out with border-radius: 0;

 

[MattW]

Hey... CSS attacks are no joke.

You can have someone's eye out with border-radius: 0;

That's mine and @Brogan 's sites then!

 

[Rob]

The guy is a bit see through. I'd say transparency: 0.3

 

[Ryan_]

He certainly didn't provide any padding in his attempt to solicit money for "extra security" - just straight to the point.

Edit: Let's see how long it takes before we run out of corny CSS jokes!

 

[Wildcat Media]

The guy is a bit see through. I'd say transparency: 0.3

I was thinking a display: none might be more appropriate to silence this dude...