Did XenForo disclose this exploit?

WD

Enthusiast
Joined
Mar 24, 2010
Messages
243
Too lazy to login to XenForo right now but just noticed a major exploit was found in XenForo a few months back and nothing was said publicly by XenForo so I'm not even sure this is real. (Least from what I can see from a quick look at 6am lol.)

The advisory claims the issue was fixed in 1.5.11a but I don't remember seeing this version only 1.5.12 and 1.5.13

If it wasn't then I'm pretty upset as 1.5.11 came out in November and I know many MANY XenForo sites still use older versions.

A notice should have been sent out.


XenForo 1.5.x Remote Code Execution Vulnerability

1. ADVISORY INFORMATION
=======================
Product: XenForo
Vendor URL: xenforo.com
Type: Code Injection [CWE-94]
Date found: 2016-12-09
Date published: 2016-12-15
CVSSv3 Score: 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C)
CVE: -


2. CREDITS
==========

This vulnerability was discovered and researched by indepent security
expert Vishal Mishra.


3. VERSIONS AFFECTED
====================

XenForo 1.5.x versions prior to 1.5.11a.
Older versions may be affected too but were not tested.


4. VULNERABILITY DETAILS
========================

The vulnerability allows a remote attacker to overwrite arbitrary PHP
variables within the context of the vulnerable application. The
vulnerability exists due to insufficient validation of user-supplied
input in an HTTP cookie, thus allowing to read sensitive information
from the XenForo database like usernames and passwords. Since the
affected script does not require an authentication, this
vulnerability can be exploited by an unauthenticated attacker.


5. PROOF OF CONCEPT
===================

The following proof-of-concept exploit the vulnerable HTTP cookie
and execute the phpinfo() function:

Detailed proof of concept has been removed for this advisory.


6. SOLUTION
===========

Update to the latest version v1.5.11a


7. REPORT TIMELINE
==================

2016-12-09: Discovery of the vulnerability
2016-12-11: Notified vendor via contact address
2016-12-13: Vendor provides update
2016-12-13: Provided update fixes the reported issues
2016-12-13: Vendor publishes update
2016-12-15: Coordinated release of security advisory without proof of concept


8. DISCLAIMER
=============

Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated
in order to provide as accurate information as possible.
http://seclists.org/fulldisclosure/2016/Dec/62
 

ozzy47

Tazmanian Veteran
Joined
Oct 18, 2013
Messages
9,007
Hmmm who discovered the vulnerability?

2. CREDITS
==========

This vulnerability was discovered and researched by indepent security
expert Vishal Mishra.

Or:

Most importantly, this release includes a fix for a security issue that we found during internal testing.

According to times posted, seems the XF team found the vulnerability not Vishal Marshal!

XF fixed,August 30th 2016
Supposedly found by Vishal, December 9th 2016

Why would they lie?
 

Chris D

XenForo Developer
Joined
Aug 23, 2012
Messages
811
We know of this report, and have done since it was "disclosed", but as far as we can ascertain the report is a hoax.

The entire report timeline appears to be false.
2016-12-11: Notified vendor via contact address
There are no records of any vulnerabilities reported on this day or the days prior or after this date.
2016-12-13: Vendor provides update
2016-12-13: Provided update fixes the reported issues
2016-12-13: Vendor publishes update
None of this happened. As you can see we made no releases between 1.5.11 and 1.5.12.
Update to the latest version v1.5.11a
No such version exists.

You can see a response to the disclosure here:

http://seclists.org/fulldisclosure/2016/Dec/62

This issue does not seem to exist at all.

Among the available versions/updates for XenForo there is no version
1.5.11a as stated in this advisory. After contacting XenForo about this
advisory and the corresponding update, they told me that they are
neither aware of this vulnerability nor about the reporter.

Best Regards
Julien
I believe it may have been this chap contacting us that alerted us to this supposed issue in the first place. We of course investigated and determined that, not only was the disclosure false, but also a routine investigation of the vulnerability details found that there was no such vulnerability within the software.

Aside from being a total hoax, another possible explanation is that the vulnerability existed within an add-on for XF and the security researcher got confused. But, that seems unlikely.

To be 100% clear, if such a vulnerability (and our track record so far will confirm this) is ever reported, we would release a security patch for as many previous XF versions as is practicable and when we announce that update it would be made 100% clear that it is security related and we would disclose what the vulnerability was and who disclosed it to us. None of our vulnerabilities so far have been anywhere near as severe as a remote code execution type vulnerability, and have actually been very minor. Following the process I just mentioned for reporting such a vulnerability that was as severe as an RCE would be even more important to us. We'd have nothing to gain by not being honest and open about such a vulnerability.
 

WD

Enthusiast
Joined
Mar 24, 2010
Messages
243
Thanks Chris for replying. I assumed it was a hoax but wasn't sure and was too tired to login to XenForo.com :p (I'm lazy pfft..)

Talking of exploits there does seem to be something but not major as they claim it needs admin access, I found this on hackforums Chris D

ai.imgur.com_gLFp73W.png
ai.imgur.com_Ks96zgy.png
ai.imgur.com_FpPqkGK.png

Te code from the screenshot if it helps:
Code:
public static function getWithFallback($index, $callback, array $args = array())
    {
        if (self::isRegistered($index))
        {
            return self::get($index);
        }
        else
        {
            $result = call_user_func_array($callback, $args);
            self::set($index, $result);
            return $result;
        }
    }
 

Tracy Perry

Opinionated asshat
Joined
May 25, 2013
Messages
4,991
Not much of a hack then.....
If you exclude gullible admins that fall to social manipulation or re-use of the same password on sites that have been hacked in the past then it's not. But I think it's apparent that it could be used - there was an example for this site in the past if I remember correctly in which an admin account was "hacked" into, which shows even supposedly knowledgeable admins suffer the issue of poor account security and/or susceptibility to social manipulation.
 
Last edited:

GTB

Tazmanian
Joined
Nov 24, 2005
Messages
4,038
Not much of a hack then.....
If you made another user admin on your forum, then couldn't it also be abused by another staff admin. You've had a few staff here besides Howard made admin status. For instance, you are listed as admin staff rank here. So I wouldn't necessarily say it's a useless hack because you need be admin, forum owners do make other users staff admins - happens quite often in fact with novice forum owners who think nothing about making a user they hardly know admin.
 
Last edited:

Chris D

XenForo Developer
Joined
Aug 23, 2012
Messages
811
Te code from the screenshot if it helps:
There's some interesting claims there.

Certainly not things we're aware of, nor do we believe anything has been exploited in a vanilla XF install.

The getWithFallback method isn't actually used within XF at all so I'm not sure how that could be exploited... Also not totally sure why it's there at all in that case, but we'll look into it.

The first two posts in that screenshot are certainly more interesting. And mention of the non-existent version 1.5.11a too.
 

andrew3d

Aspirant
Joined
Mar 2, 2013
Messages
34
Is there a pirated copy that someone else besides your team is modifying?
This whole scenario doesn't sound legitimate. Fishy!!!
 

Chris D

XenForo Developer
Joined
Aug 23, 2012
Messages
811
Well, that's possible.

But people who download nulled copies from a source that is unofficial should accept that risk.
 

we_are_borg

Administrator
Joined
Jan 25, 2011
Messages
5,511
Well, that's possible.

But people who download nulled copies from a source that is unofficial should accept that risk.
They should buy it to make sure they are save and to support XF. If they run nulled coppies its there own fault.
 
Top