Add-on Security Fix: All XenForo 1.5 Add-ons [XenForo 1.5]

[DragonByte Technologies]

The latest version of all DragonByte XenForo 1.5 add-ons have a non-stored XSS vulnerability that could lead to user input being displayed back without proper escaping, due to a bug in these add-ons' phrase rendering system.

A non-stored XSS (Cross-Site Scripting) vulnerability means that malicious individuals cannot use this bug to steal other users' credentials, but it is still a security issue that should be addressed.

The patched versions are:

• DragonByte Credits v5.0.3
• DragonByte Donate v3.0.3
• DragonByte Member Map v2.0.1
• DragonByte Mail v4.0.1
• DragonByte Security v4.0.1
• DragonByte Shop v6.0.4

If you are running older versions, or your license has expired, you can apply the patch by following these instructions:

Open src/addons/DBTech/<addon>/Application/Phrase.php and find:

            case 'XenForo':
                \XenForo_Phrase::setEscapeCallback(false);

                if ($languageId == -1)
                {
                    // Render the phrase
                    $rendered = (new \XenForo_Phrase($phraseKey, $params))->render();
                }
                else
                {
                    // We need to back up our language ID
                    $backupLanguageId = \XenForo_Phrase::getLanguageId();

                    // Shorthand
                    $visitor = \XenForo_Visitor::getInstance();

                    // Set new language ID
                    $visitor->setVisitorLanguage($languageId);

                    // Render the phrase
                    $rendered = (new \XenForo_Phrase($phraseKey, $params))->render();

                    // Restore this
                    $visitor->setVisitorLanguage($backupLanguageId);
                }

                return $rendered;
                break;

Above return $rendered; add:

                \XenForo_Phrase::setEscapeCallback('htmlspecialchars');

If you do not have a Phrase.php file in the path described, then your version is not affected. The XenForo 2.0 version is not affected.
XenForo 2.1 versions have been completely rewritten from scratch and never used the framework containing this bug.

Please also be aware that XenForo 1.5 is end-of-life and as such does not receive any security fixes from XenForo itself. It is strongly recommended that you upgrade to XenForo 2.1 as soon as possible.


- DragonByte Tech Staff