Did XenForo disclose this exploit?

Discussion in 'XenForo' started by WD, Apr 2, 2017.

  1. WD

    WD Enthusiast

    243
    75
    +377
    Too lazy to login to XenForo right now but just noticed a major exploit was found in XenForo a few months back and nothing was said publicly by XenForo so I'm not even sure this is real. (Least from what I can see from a quick look at 6am lol.)

    The advisory claims the issue was fixed in 1.5.11a but I don't remember seeing this version only 1.5.12 and 1.5.13

    If it wasn't then I'm pretty upset as 1.5.11 came out in November and I know many MANY XenForo sites still use older versions.

    A notice should have been sent out.


     
    • Something Fishy! Something Fishy! x 1
    • List
  2. we_are_borg

    we_are_borg Administrator

    5,266
    1,417
    +2,083
  3. ozzy47

    ozzy47 Tazmanian Veteran

    9,135
    832
    +4,338
    Hmmm who discovered the vulnerability?

    2. CREDITS
    ==========

    This vulnerability was discovered and researched by indepent security
    expert Vishal Mishra.

    Or:

    Most importantly, this release includes a fix for a security issue that we found during internal testing.

    According to times posted, seems the XF team found the vulnerability not Vishal Marshal!

    XF fixed,August 30th 2016
    Supposedly found by Vishal, December 9th 2016

    Why would they lie?
     
    • Pure Genius! Pure Genius! x 3
    • List
  4. Chris D

    Chris D XenForo Developer

    761
    952
    +1,727
    We know of this report, and have done since it was "disclosed", but as far as we can ascertain the report is a hoax.

    The entire report timeline appears to be false.
    There are no records of any vulnerabilities reported on this day or the days prior or after this date.
    None of this happened. As you can see we made no releases between 1.5.11 and 1.5.12.
    No such version exists.

    You can see a response to the disclosure here:

    http://seclists.org/fulldisclosure/2016/Dec/62

    I believe it may have been this chap contacting us that alerted us to this supposed issue in the first place. We of course investigated and determined that, not only was the disclosure false, but also a routine investigation of the vulnerability details found that there was no such vulnerability within the software.

    Aside from being a total hoax, another possible explanation is that the vulnerability existed within an add-on for XF and the security researcher got confused. But, that seems unlikely.

    To be 100% clear, if such a vulnerability (and our track record so far will confirm this) is ever reported, we would release a security patch for as many previous XF versions as is practicable and when we announce that update it would be made 100% clear that it is security related and we would disclose what the vulnerability was and who disclosed it to us. None of our vulnerabilities so far have been anywhere near as severe as a remote code execution type vulnerability, and have actually been very minor. Following the process I just mentioned for reporting such a vulnerability that was as severe as an RCE would be even more important to us. We'd have nothing to gain by not being honest and open about such a vulnerability.
     
    • Like Like x 5
    • Winner Winner x 4
    • Agree Agree x 1
    • List
  5. WD

    WD Enthusiast

    243
    75
    +377
    Thanks Chris for replying. I assumed it was a hoax but wasn't sure and was too tired to login to XenForo.com :p (I'm lazy pfft..)

    Talking of exploits there does seem to be something but not major as they claim it needs admin access, I found this on hackforums Chris DChris D

    ai.imgur.com_gLFp73W.png
    ai.imgur.com_Ks96zgy.png
    ai.imgur.com_FpPqkGK.png

    Te code from the screenshot if it helps:
    Code:
    public static function getWithFallback($index, $callback, array $args = array())
        {
            if (self::isRegistered($index))
            {
                return self::get($index);
            }
            else
            {
                $result = call_user_func_array($callback, $args);
                self::set($index, $result);
                return $result;
            }
        } 
     
  6. Joeychgo

    Joeychgo TAZ Administrator

    6,767
    1,532
    +3,442
    Not much of a hack then.....
     
  7. Tracy Perry

    Tracy Perry Opinionated asshat

    5,207
    552
    +3,608
    If you exclude gullible admins that fall to social manipulation or re-use of the same password on sites that have been hacked in the past then it's not. But I think it's apparent that it could be used - there was an example for this site in the past if I remember correctly in which an admin account was "hacked" into, which shows even supposedly knowledgeable admins suffer the issue of poor account security and/or susceptibility to social manipulation.
     
    Last edited: Apr 2, 2017
  8. GTB

    GTB Tazmanian

    4,202
    862
    +1,062
    If you made another user admin on your forum, then couldn't it also be abused by another staff admin. You've had a few staff here besides Howard made admin status. For instance, you are listed as admin staff rank here. So I wouldn't necessarily say it's a useless hack because you need be admin, forum owners do make other users staff admins - happens quite often in fact with novice forum owners who think nothing about making a user they hardly know admin.
     
    Last edited: Apr 2, 2017
  9. Chris D

    Chris D XenForo Developer

    761
    952
    +1,727
    There's some interesting claims there.

    Certainly not things we're aware of, nor do we believe anything has been exploited in a vanilla XF install.

    The getWithFallback method isn't actually used within XF at all so I'm not sure how that could be exploited... Also not totally sure why it's there at all in that case, but we'll look into it.

    The first two posts in that screenshot are certainly more interesting. And mention of the non-existent version 1.5.11a too.
     
  10. andrew3d

    andrew3d Aspirant

    34
    13
    +12
    Is there a pirated copy that someone else besides your team is modifying?
    This whole scenario doesn't sound legitimate. Fishy!!!
     
  11. Chris D

    Chris D XenForo Developer

    761
    952
    +1,727
    Well, that's possible.

    But people who download nulled copies from a source that is unofficial should accept that risk.
     
  12. we_are_borg

    we_are_borg Administrator

    5,266
    1,417
    +2,083
    They should buy it to make sure they are save and to support XF. If they run nulled coppies its there own fault.
     
Verification:
Draft saved Draft deleted
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.