ACP gone
- Thread starter Lucandi
- Start date
It's not really that strange if you hadn't successfully patched your installation with the instructions I linked and were compromised as a result. The security issues fixed in XF 2.2.16, nearly a year ago, were especially serious. The idea that we would risk our reputation by remotely disabling or otherwise interfering with expired licenses is ludicrous. There are many, many forums running on expired licenses (and indeed older versions, patched appropriately) without issue.
If my forum had been taken over by someone or a few, then the strangest thing is that they don't take over the forum completely and lock me out. Changing the logo, I don't know what. But that they would remove the tools in acp sounds ****ing ridiculous. What you're talking about with the security risk, I asked a question about that a while ago. https://xenforo.com/community/threads/acp-gone.230505/page-2#posts
and where I'm supposed to enter that code, that page or file doesn't exist. It's even stranger that you come now after so long and write about what I asked several months ago. Where were you then?
I understand that this is your livelihood, but why should I support you when you don't get the help or simple question that might have solved my problem? I hope you understand my thinking. No one buys something they don't get something in return.
As I already said, support on the forums is provided solely as a courtesy. I try my best to help out here if and when I have the bandwidth to do so. I can't and don't keep up with every post, and I had not seen your prior thread. It is both the weekend and a holiday in the UK and US as I write this. If you want official ticket support, it is included with your license renewal and provided on business days.
When you first installed XenForo, the files were uploaded to your server somewhere. The files that were uploaded to the server are the files that you will need to patch. If you aren't able to do that, the expectation is that you renew your license and upgrade normally or purchase the upgrade service. The renewals (among other things) are what support the business and enable us to fix these issues and publish the patches for the benefit of everyone, including expired license holders.
There are many files which must be patched. They're in the directions linked.
For the patches in XF 2.2.16, edit
src/XF.php manually as instructed. After that, download the 2216a-patch.zip file, unzip it, and overwrite the files on your server with the corresponding files from the upload directory of the download.For the patch in XF 2.2.17, edit
src/XF/App.php manually as instructed.However, neither of these will undo a compromise that already occurred. My advice would be to restore from a backup first, then do the steps above, and after rotate any important credentials (database passwords, account passwords), etc.
Renewing the license allows you to use the "one-click" upgrade process, so the upgrade service is usually unnecessary. Still, renewing and upgrading won't reverse a compromised installation either. If you go this route, you should restore from a backup first, then upgrade (likely just to XF 2.2.17 rather than 2.3 to save yourself the headache of a major upgrade).
To be clear, I don't know that. I just don't have another explanation to offer you and, under the circumstances (running an old, unpatched version), it seems the most likely. Especially if you already disabled add-ons as a first step like I had initially recommended and it did not help.
It is an attachment in the first linked thread, published specifically so that we can make important security updates available to customers with expired licenses. We wouldn't do that at all if we really wanted to take every opportunity to make customers renew their licenses.
If you are upgrading, there should almost never be a reason not to be on the latest third-point release, so XF 2.2.17. If you are patching, both patches must be applied.
It will be in the root directory of your XF installation. If you're using shared hosting, there's often (but not always) a folder called
public_html or similar, and in that folder you will find a folder called src, and in that folder you will find XF.php.
Last edited:
We do try to make the one-click upgrade process as simple as possible for active self-hosted licenses, and we provide a managed cloud solution for people who don't want to worry about infrastructure and upgrades, but I understand they may not be affordable to everyone. The manual patches we provide for customers with expired licenses are the best we can offer under the circumstances.
But you are so sure that my forum has been hacked and there is nothing that can save it and not anything about renewing the license either. Then I don't understand why you still need to talk about license renewal. I have looked at your hosting a long time ago. Unfortunately I don't have the money you want. You are far too expensive. My finances can't handle it. Then in the description, find this you say. I look at one of the files, it is over 3000 lines. Should I, as an amateur, look for a line code? Wouldn't it have been wise if you had written, for example, line 214 there is this public function getDynamicRedirect($fallbackUrl = null, $useReferrer = true)
change it to this. Oh well, those who understand what I mean understand, you probably also understand what I want to say about the whole thing but. **** the same. The world is not going to end just because of this **** thing.
change it to this. Oh well, those who understand what I mean understand, you probably also understand what I want to say about the whole thing but. **** the same. The world is not going to end just because of this **** thing.
I already said I am not sure, but I believe it to be the most likely culprit.
I already said I understand not everything is affordable to everybody.
No, because the line number can vary depending on what version you are patching. It may be different for someone on v2.2.0, v2.2.11, v2.2.13, etc.
I can empathize that you are experiencing a problem, and that a license renewal is unaffordable. I've also gone out of my way to address your concerns on a holiday weekend as a personal courtesy, and I hope you can empathize too.
FTL
Well-known member
I'd like to add that I've logged tickets at something like 10pm on a Saturday expecting support to get back to me on Monday during business hours, but no, sometimes an insomniac* staff member answers my question at something like 3am Sunday - epic.
Don't see that in a lot of places.I always make sure to thank them for going above and beyond / the extra mile.
*I can relate, believe me...
Alan_SP
Well-known member
As you say that it happened suddenly, I'd also check idea if something is changed in server environment that might affect your forum. Like server update, or something similar.
Not sure what's going on, being hacked is certainly option, but it might not be that too.
So, you can ask your host's support if there were some updates on server. Maybe even simple reboot of server could solve your issues, hard to tell, it's just wild guess on my part, but I usually try to go with easiest and simplest things first.
Not sure what's going on, being hacked is certainly option, but it might not be that too.
So, you can ask your host's support if there were some updates on server. Maybe even simple reboot of server could solve your issues, hard to tell, it's just wild guess on my part, but I usually try to go with easiest and simplest things first.
I can't add much that I haven't already said:
You should restore from a backup taken before the compromise occurred. If you don't have a backup, then you would need to hire someone who can help secure your installation and revert any changes. Afterwards, you should upgrade to at least v2.2.17 and change any important credentials (hosting, database, administrator accounts). It may also be prudent to alert your users if there's a chance any private information could have leaked.
You should restore from a backup taken before the compromise occurred. If you don't have a backup, then you would need to hire someone who can help secure your installation and revert any changes. Afterwards, you should upgrade to at least v2.2.17 and change any important credentials (hosting, database, administrator accounts). It may also be prudent to alert your users if there's a chance any private information could have leaked.
I have restored but it is the same thing. But how do I find someone I can hire? I just asked you about this, whether I should upgrade or buy a license. Now I bought a license twice that turned out wrong. After I made the purchase you come in and now write that I should upgrade. I don't understand you. You have had several days to answer me but when you see that I bought a license you suddenly come in and say that I should upgrade. I don't think you are honest. It's so that you have to feed you money to get an answer at a time.
Similar threads
- Suggestion
