XenForo & Cross Site Scripting Attacks

[TheBigK]

So we have one of our members say that xenForo is vulnerable to 'CSS' attacks. Wondering if any of the xF installs have been hacked via CSS so far?

 

[Paul B]

Does the member have any proof to back up that claim?

 

[MattW]

So we have one of our members say that xenForo is vulnerable to 'CSS' attacks. Wondering if any of the xF installs have been hacked via CSS so far?

Proof??

 

[Mike]

It's usually XSS given that CSS already means something.

There aren't any known XSS issues - if there were, they'd be patched. The output is "escaped by default" so the potential vectors should be reduced significantly.

So yeah, examples (proof) would be needed.

 

[MattW]

http://www.crazyengineers.com/threads/is-ce-easy-to-hack.69619/#post-288337

EDIT: Which appears to relate to what ever add-on this is: http://www.crazyengineers.com/ceom/

 

[Rob]

Add ons are not part of the core and any platform, no matter how secure is only as secure as the addons bolted on.

 

[TheBigK]

No proof yet. I've asked him to prove the attack on a test environment. Let's see if he responds.

http://www.crazyengineers.com/threads/is-ce-easy-to-hack.69619/#post-288337

EDIT: Which appears to relate to what ever add-on this is: http://www.crazyengineers.com/ceom/

Well, that's an add-on; but he essentially says that he found something with the xenForo platform itself.

 

[TheBigK]

In any case, I'll report it to the developers if something vulnerable is found with the core.

 

[Rob]

I seriously doubt it but let's see if any details come from this.

 

[TheBigK]

Well, have there been any instances of any type of hacks on xenForo installs? I don't recollect reading about any so far.

 

[MattW]

He's making no sense to me in his replies:

You already gave me the environment in past. So i tested it there.
And there is nothing to prove in it. Its something we cannot stop. Rather we can secure the server. its already decently secured. the thing i m talking about it is hardcore server security. Make the drive persistent. Every Server restart will make it raid free. And power backup the server in hard environment everytime. I guess you might be aware of DEEPFREEZE application for machines. Persistant drives are for the same purpose. and there is a feature in remote hosting environment which is net bridged, mainly used by website hosting companies, to block remove execution/ i.e to avoid scripting. That will patch this issue. If you want I can show it on your environment. But i already tested it there. I can give you a video of the attack if you want.

 

[Kevin]

Without the person providing additional information I suspect that their real intentions are in post #3 of that thread.

... we can deploy a solution. ... It is a costly process.

 

[Rob]

Sorry but geeky as I am that went woooosh well over me.

 

[MattW]

I fail to see what point he's trying to make suggesting they need And server backup to be collected on some other place would prevent any form of XSS

 

[TheBigK]

Well, he found a bug with our CEoM app and has reported it. No serious issues so far, it seems.

 

[Rob]

Drivel springs to mind.....

 

[TheBigK]

@Mike : This is what he said through a private conversation:

CSS=>Preg Match embedded into CSRF using Levenstein obfuscated code. Its tailor made. Cant reveal more info. But the frame is decently secured. Dont worry. It doesnt take the machine down

What does that mean? If it's meaningful, at all?

 

[Rob]

I personally feel that whether obfuscated or not, any form of injection will be guarded.... at least by the core. Add ons could be vulnerable though.

 

[Mike]

I can't say that's meaningful.

preg_match is a function that determines if text matches something. CSRF is a different type of vulnerability. Levens(h)tein is a method for determine "edit distances" for strings.

None of it really adds up. If he wants to demo something then I'm quite happy to do more investigation but he hasn't given any indication of, well, anything.

 

[MattW]

He sounds like some of the senior managers at my work dropping "buzz" words