http://www.icyphoenix.com/viewtopic.php?f=27&t=233 ----------------------------------- Mighty Gorgon Thu 31 Aug, 2006 01:42 Security Issue In Cache Folder ----------------------------------- Hi all. phpBB forums are now the new target for the hackers... many phpBB based sites are being defaced in these days. Most of the problems are related to REGISTER_GLOBALS, but today I've discovered a new issue. One site has being hacked trough the CACHE folder which has 777 permissions... so a file has been modified in there and the site defaced. I suggest to put HTACCESS in your CACHE folder and try to set 775 as CHMOD for both CACHE and files in there... Everything should continue to work, but your files should be protected from this kind of attacks. If you're having problems after changing CHMOD put everything back to 777. I've also patched another couple of files... in some days we will have a new XS release... more secure than the older one... :wink: If you discover some other types of security issues, please, notify me. Thanks. ----------------------------------- AvrilBoi Thu 31 Aug, 2006 11:30 Re: Security Issue In Cache Folder ----------------------------------- Since the cache files are generated by XS the user and group who own those files are "Apache" and not me, so I'm not able to chmod the files :? I think I can chmod them by a script but not by ftp. ----------------------------------- KugeLSichA Thu 31 Aug, 2006 11:50 Re: Security Issue In Cache Folder ----------------------------------- Hi MG, as i told you yesterday on MSN. i have had probs with that... later i tried again. but it doesnt work. I still have problems with that an get an blank page, so I set it back to CHMOD 777 cya ----------------------------------- AvrilBoi Thu 31 Aug, 2006 12:38 Re: Security Issue In Cache Folder ----------------------------------- [quote user="KugeLSichA" post="1865"] I still have problems with that an get an blank page, so I set it back to CHMOD 777 [/quote] I was going to post that exactly... I need to have it chmodded 777 ----------------------------------- Hakkinen Thu 31 Aug, 2006 17:06 Respuesta: Security Issue In Cache Folder ----------------------------------- I don't know, but i put HTACCES in CACHE folder but with CHMOD 777, performance was low, maybe was the server, maybe not, but i leave it on 777 :shock: ----------------------------------- TheLastLegion Thu 31 Aug, 2006 17:20 Re: Security Issue In Cache Folder ----------------------------------- ok as a sexurity expert i suggest one thing: Do you have protection against perl exploits? These perl exploits are ran from the cmd and usually get in through the bb codes features How would i know this? One of my friends sites make them.. ----------------------------------- Mighty Gorgon Fri 01 Sep, 2006 17:25 Re: Security Issue In Cache Folder ----------------------------------- [quote user="TheLastLegion" post="1925"]ok as a sexurity expert i suggest one thing: Do you have protection against perl exploits? These perl exploits are ran from the cmd and usually get in through the bb codes features How would i know this? One of my friends sites make them..[/quote] Yes... I've discovered just 3 days ago one hole in BBCodes, and I should have fixed it. I'm testing the whole things before releasing it as a patch! :wink: Regarding your expertise... do you want to cooperate with us for making XS more secure? :roll: ----------------------------------- Antonio Mercurio Sat 02 Sep, 2006 01:26 Re: Security Issue In Cache Folder ----------------------------------- I've made a lot of test but the .htaccess code is deleted again :( I'm considering to use the cache process to creata the two files at the end of process for empting the cache. (on my server I can deny access to the directory on httpd.conf) ----------------------------------- Mighty Gorgon Sat 02 Sep, 2006 04:58 Re: Security Issue In Cache Folder ----------------------------------- [quote user="Antonio Mercurio" post="2069"]I've made a lot of test but the .htaccess code is deleted again :( I'm considering to use the cache process to creata the two files at the end of process for empting the cache. (on my server I can deny access to the directory on httpd.conf)[/quote] Did you try setting HTACCESS permissions to 555? ----------------------------------- Antonio Mercurio Sat 02 Sep, 2006 07:47 Re: Security Issue In Cache Folder ----------------------------------- [quote user="Mighty Gorgon" post="2080"][quote user="Antonio Mercurio" post="2069"]I've made a lot of test but the .htaccess code is deleted again :( I'm considering to use the cache process to creata the two files at the end of process for empting the cache. (on my server I can deny access to the directory on httpd.conf)[/quote] Did you try setting HTACCESS permissions to 555?[/quote] Yes .. I think that the user WEB can override the chmod setting (maybe is set as a near admin). I'm going to write in httpd.conf a directive for that directory. I mean: in my webspace the process made by Apache is owned by the user WEB (I'm also considering to migrate the cache in a directory inside cache so the .htaccess will be a level up related to the cached directory) The stranghe thing is that another modded that uses part of the sistem cache doesn't remove the index and the .htaccess ----------------------------------- Mighty Gorgon Sat 02 Sep, 2006 13:21 Re: Security Issue In Cache Folder ----------------------------------- What is strange is that the function EMPTY CACHE of eXtreme Style doesn't delete the HTACCESS... it should be some other function... I'll look into it and let you know. ----------------------------------- Antonio Mercurio Sat 02 Sep, 2006 17:57 Re: Security Issue In Cache Folder ----------------------------------- [quote user="Mighty Gorgon" post="2143"]What is strange is that the function EMPTY CACHE of eXtreme Style doesn't delete the HTACCESS... it should be some other function... I'll look into it and let you know.[/quote] I think is the cache system of IM portal but only the pseudo cron setting that clear the directory. I'm hunting the ,htacces killer :) ----------------------------------- Mighty Gorgon Sat 02 Sep, 2006 22:53 Re: Security Issue In Cache Folder ----------------------------------- I should have fixed this in dev package... :roll: Try replacing this files in includes.