• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 Xenforo Session Hijacking fix?

#1
I've recently become aware that Xenforo fourms, at least in their default configuration, are vulnerable to session hijacking attacks. One can steal a cookie from a fourm user (via malicious javascript that the attacker hosts) and use that cookie to authenticate with the fourm. Cookies last 30 days, Xenforo 2FA does not stop this.

Are there any methods for dealing with this? Can I make Xenforo force email confirmation to login when the users IP differs, even when they already have a cookie?
 

Chris D

XenForo developer
Staff member
#7
You've certainly made that sound very severe (which it is), and almost easy to do (which it most certainly shouldn't be).

In actual fact, the type of exploit you mention would be a XSS vulnerability as you would first need to find a way to expose users to a malicious script hosted by the attacker. I'd be less concerned about what an attacker can do with a cookie, and much more concerned about how they were able to inject the malicious script in the first place.

XF employs many methods to avoid and prevent XSS vulnerabilities so for the most part, the software by default should not be vulnerable to any sort of attack that you mention.

If you have found an active XSS vulnerability in XF then this should be disclosed to us in the responsible manner (which would be true of any exploit in any software). Or if it's in an add-on, it should be reported following the guidelines here: https://xenforo.com/community/help/resource-vulnerabilities/

Have you experienced any such issues or are you just theorising at this stage?
 
#8
You've certainly made that sound very severe (which it is), and almost easy to do (which it most certainly shouldn't be).

In actual fact, the type of exploit you mention would be a XSS vulnerability as you would first need to find a way to expose users to a malicious script hosted by the attacker. I'd be less concerned about what an attacker can do with a cookie, and much more concerned about how they were able to inject the malicious script in the first place.

XF employs many methods to avoid and prevent XSS vulnerabilities so for the most part, the software by default should not be vulnerable to any sort of attack that you mention.

If you have found an active XSS vulnerability in XF then this should be disclosed to us in the responsible manner (which would be true of any exploit in any software). Or if it's in an add-on, it should be reported following the guidelines here: https://xenforo.com/community/help/resource-vulnerabilities/

Have you experienced any such issues or are you just theorising at this stage?
I don't mean to make it sound one way or another. I'm just reporting something a user of my forum told me. Since the user seems to be wrong, this thread can be closed. Sorry for the hassle.
 

Mike

XenForo developer
Staff member
#9
It's also worth noting that the relevant cookies are marked as HTTP only, which means they're not accessible to Javascript. Getting access to them would require a man in the middle attack (which is what HTTPS helps with), access to the server or direct access to your device. In the latter cases, stealing a cookie is the least of your worries.