XF 1.5 Xenforo Session Hijacking fix?

S

ShortHard

New member
I've recently become aware that Xenforo fourms, at least in their default configuration, are vulnerable to session hijacking attacks. One can steal a cookie from a fourm user (via malicious javascript that the attacker hosts) and use that cookie to authenticate with the fourm. Cookies last 30 days, Xenforo 2FA does not stop this.

Are there any methods for dealing with this? Can I make Xenforo force email confirmation to login when the users IP differs, even when they already have a cookie?
 
Sort by date Sort by votes
You've certainly made that sound very severe (which it is), and almost easy to do (which it most certainly shouldn't be).

In actual fact, the type of exploit you mention would be a XSS vulnerability as you would first need to find a way to expose users to a malicious script hosted by the attacker. I'd be less concerned about what an attacker can do with a cookie, and much more concerned about how they were able to inject the malicious script in the first place.

XF employs many methods to avoid and prevent XSS vulnerabilities so for the most part, the software by default should not be vulnerable to any sort of attack that you mention.

If you have found an active XSS vulnerability in XF then this should be disclosed to us in the responsible manner (which would be true of any exploit in any software). Or if it's in an add-on, it should be reported following the guidelines here: https://xenforo.com/community/help/resource-vulnerabilities/

Have you experienced any such issues or are you just theorising at this stage?
 
Upvote 0 Downvote
Chris D said:
You've certainly made that sound very severe (which it is), and almost easy to do (which it most certainly shouldn't be).

In actual fact, the type of exploit you mention would be a XSS vulnerability as you would first need to find a way to expose users to a malicious script hosted by the attacker. I'd be less concerned about what an attacker can do with a cookie, and much more concerned about how they were able to inject the malicious script in the first place.

XF employs many methods to avoid and prevent XSS vulnerabilities so for the most part, the software by default should not be vulnerable to any sort of attack that you mention.

If you have found an active XSS vulnerability in XF then this should be disclosed to us in the responsible manner (which would be true of any exploit in any software). Or if it's in an add-on, it should be reported following the guidelines here: https://xenforo.com/community/help/resource-vulnerabilities/

Have you experienced any such issues or are you just theorising at this stage?
Click to expand...

I don't mean to make it sound one way or another. I'm just reporting something a user of my forum told me. Since the user seems to be wrong, this thread can be closed. Sorry for the hassle.
 
Upvote 0 Downvote
It's also worth noting that the relevant cookies are marked as HTTP only, which means they're not accessible to Javascript. Getting access to them would require a man in the middle attack (which is what HTTPS helps with), access to the server or direct access to your device. In the latter cases, stealing a cookie is the least of your worries.
 
Upvote 0 Downvote
l6yetw.gif


Sorry I couldn’t help but put this on
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

P
XF 2.1 using xenforo session in subdomain
Replies
1
Views
797
robdog
robdog
K
Xenforo session issue (Using EC2 + load balancer)
Replies
3
Views
851
splooge
S
stoppy
Xenforo Session among third domains
Replies
3
Views
1K
stoppy
stoppy
W
  • Question Question
XF 1.3 Fatal error.. Xenforo Session
Replies
9
Views
1K
woodenlegacy
W
Per Hansson
Size of Xenforo Session cache using Xcache?
Replies
1
Views
814
Slavik
Slavik
Top Bottom