For several reasons (often the high costs of upgrading the theme, the add-ons and the server admin work time and cost needed) we still run 2 Xenforo sites using the most recent (and last) version of 1.5 of the software.
Because that version is no longer maintained by the XF team since a long time, there may be security problems with that old software. For example, recently we received an email by an unknown person titled "Vulnerability Report-Broken Authentication" regarding one of our XF 1.5 forums who wants a "bounty" for finding that vulnerability.
I do not want to include the whole text of the message here, but he writes that the session management of XF 1.5 is broken and it is possible to change a session (in detail the authentication password) for a user from another, different browser within the same access IP address. So it looks like the session is stored at the server with a user_id key only and no check for the client used with that session. I don't know if that report is true but I also do not see that issue as very problematic if true. If someone knows the password he can always do what he wants.
Regardless of that possible issue and since I know that some people here still use version 1 of the software I want to ask if there would be any interest in creating some kind of XF 1.5 user interest group where any existing or future security concerns with XF 1.5 could be handled and financed to be rolled out at our old forums.
I know that upgrading to the most recent XF 2 version would be the best solution, but -again- for some of us this is simply not possible at the moment for different reasons.
So XF 1 users, where are you and what problems have you found and maybe already needed to be patched with XF 1.5?
Because that version is no longer maintained by the XF team since a long time, there may be security problems with that old software. For example, recently we received an email by an unknown person titled "Vulnerability Report-Broken Authentication" regarding one of our XF 1.5 forums who wants a "bounty" for finding that vulnerability.
I do not want to include the whole text of the message here, but he writes that the session management of XF 1.5 is broken and it is possible to change a session (in detail the authentication password) for a user from another, different browser within the same access IP address. So it looks like the session is stored at the server with a user_id key only and no check for the client used with that session. I don't know if that report is true but I also do not see that issue as very problematic if true. If someone knows the password he can always do what he wants.
Regardless of that possible issue and since I know that some people here still use version 1 of the software I want to ask if there would be any interest in creating some kind of XF 1.5 user interest group where any existing or future security concerns with XF 1.5 could be handled and financed to be rolled out at our old forums.
I know that upgrading to the most recent XF 2 version would be the best solution, but -again- for some of us this is simply not possible at the moment for different reasons.
So XF 1 users, where are you and what problems have you found and maybe already needed to be patched with XF 1.5?
