Icy Phoenix

     
 


Post new topic  This topic is locked: you cannot edit posts or make replies. 
Page 1 of 1
 
 
Reply with quote Download Post 
Post Security Issue In Cache Folder 
 
Hi all.

phpBB forums are now the new target for the hackers... many phpBB based sites are being defaced in these days.

Most of the problems are related to REGISTER_GLOBALS, but today I've discovered a new issue.

One site has being hacked trough the CACHE folder which has 777 permissions... so a file has been modified in there and the site defaced.

I suggest to put HTACCESS in your CACHE folder and try to set 775 as CHMOD for both CACHE and files in there...

Everything should continue to work, but your files should be protected from this kind of attacks. If you're having problems after changing CHMOD put everything back to 777.

I've also patched another couple of files... in some days we will have a new XS release... more secure than the older one...

If you discover some other types of security issues, please, notify me.

Thanks.
 




____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON
 
Mighty GorgonSend private messageSend e-mail to userVisit poster's website  
Back to topPage bottom
Icy Phoenix is an open source project, you can show your appreciation and support future development by donating to the project.

Support us
 
Reply with quote Download Post 
Post Re: Security Issue In Cache Folder 
 
Since the cache files are generated by XS the user and group who own those files are "Apache" and not me, so I'm not able to chmod the files I think I can chmod them by a script but not by ftp.
 



 
AvrilBoiSend private messageVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Security Issue In Cache Folder 
 
Hi MG,

as i told you yesterday on MSN. i have had probs with that... later i tried again. but it doesnt work.

I still have problems with that an get an blank page, so I set it back to CHMOD 777

cya
 




____________

Play Games at GamesCampus!
 
KugeLSichASend private messageVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Security Issue In Cache Folder 
 
KugeLSichA wrote: [View Post]

I still have problems with that an get an blank page, so I set it back to CHMOD 777

I was going to post that exactly... I need to have it chmodded 777
 



 
AvrilBoiSend private messageVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Respuesta: Security Issue In Cache Folder 
 
I don't know, but i put HTACCES in CACHE folder but with CHMOD 777, performance was low, maybe was the server, maybe not, but i leave it on 777
 



 
HakkinenSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Security Issue In Cache Folder 
 
ok as a sexurity expert i suggest one thing:

Do you have protection against perl exploits?

These perl exploits are ran from the cmd and usually get in through the bb codes features

How would i know this? One of my friends sites make them..
 




____________
Looking for webhosting?
Need a excellent host with 24/7 support and free installations for your scripts?
Then pick www.aonservers.com 24/7 in live-time support with tickets/aim/msn/live chat/phone support and more support features.
 
TheLastLegionSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Security Issue In Cache Folder 
 
TheLastLegion wrote: [View Post]
ok as a sexurity expert i suggest one thing:

Do you have protection against perl exploits?

These perl exploits are ran from the cmd and usually get in through the bb codes features

How would i know this? One of my friends sites make them..

Yes... I've discovered just 3 days ago one hole in BBCodes, and I should have fixed it. I'm testing the whole things before releasing it as a patch!

Regarding your expertise... do you want to cooperate with us for making XS more secure?
 




____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON
 
Mighty GorgonSend private messageSend e-mail to userVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Security Issue In Cache Folder 
 
I've made a lot of test but the .htaccess code is deleted again

I'm considering to use the cache process to creata the two files at the end of process for empting the cache.

(on my server I can deny access to the directory on httpd.conf)
 




____________
[img]http://www.mediomondo.it/appoggio/yuqlogo.jpg[/img]
 
Antonio MercurioSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Security Issue In Cache Folder 
 
Antonio Mercurio wrote: [View Post]
I've made a lot of test but the .htaccess code is deleted again

I'm considering to use the cache process to creata the two files at the end of process for empting the cache.

(on my server I can deny access to the directory on httpd.conf)

Did you try setting HTACCESS permissions to 555?
 




____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON
 
Mighty GorgonSend private messageSend e-mail to userVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Security Issue In Cache Folder 
 
Mighty Gorgon wrote: [View Post]
Antonio Mercurio wrote: [View Post]
I've made a lot of test but the .htaccess code is deleted again

I'm considering to use the cache process to creata the two files at the end of process for empting the cache.

(on my server I can deny access to the directory on httpd.conf)

Did you try setting HTACCESS permissions to 555?


Yes .. I think that the user WEB can override the chmod setting (maybe is set as a near admin).
I'm going to write in httpd.conf a directive for that directory.

I mean: in my webspace the process made by Apache is owned by the user WEB

(I'm also considering to migrate the cache in a directory inside cache so the .htaccess will be a level up related to the cached directory)

The stranghe thing is that another modded that uses part of the sistem cache doesn't remove the index and the .htaccess
 




____________
[img]http://www.mediomondo.it/appoggio/yuqlogo.jpg[/img]
 
Antonio MercurioSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Security Issue In Cache Folder 
 
What is strange is that the function EMPTY CACHE of eXtreme Style doesn't delete the HTACCESS... it should be some other function...

I'll look into it and let you know.
 




____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON
 
Mighty GorgonSend private messageSend e-mail to userVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Security Issue In Cache Folder 
 
Mighty Gorgon wrote: [View Post]
What is strange is that the function EMPTY CACHE of eXtreme Style doesn't delete the HTACCESS... it should be some other function...

I'll look into it and let you know.


I think is the cache system of IM portal but only the pseudo cron setting that clear the directory.
I'm hunting the ,htacces killer
 




____________
[img]http://www.mediomondo.it/appoggio/yuqlogo.jpg[/img]
 
Antonio MercurioSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Security Issue In Cache Folder 
 
I should have fixed this in dev package...

Try replacing this files in includes.

lite.rar
Description: IM Portal Lite 
Download
Filename: lite.rar
Filesize: 3.85 KB
Downloaded: 308 Time(s)

 




____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON
 
Mighty GorgonSend private messageSend e-mail to userVisit poster's website  
Back to topPage bottom
Post new topic  This topic is locked: you cannot edit posts or make replies.  Page 1 of 1
 


Display posts from previous:    

HideWas this topic useful?

Link this topic
URL
BBCode
HTML




 
Permissions List
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events


  

 

  cron