Hi all.
phpBB forums are now the new target for the hackers... many phpBB based sites are being defaced in these days.
Most of the problems are related to REGISTER_GLOBALS, but today I've discovered a new issue.
One site has being hacked trough the CACHE folder which has 777 permissions... so a file has been modified in there and the site defaced.
I suggest to put HTACCESS in your CACHE folder and try to set 775 as CHMOD for both CACHE and files in there...
Everything should continue to work, but your files should be protected from this kind of attacks. If you're having problems after changing CHMOD put everything back to 777.
I've also patched another couple of files... in some days we will have a new XS release... more secure than the older one... :wink:
If you discover some other types of security issues, please, notify me.
Thanks.
Security Issue In Cache Folder
Subject: Re: Security Issue In Cache Folder
Since the cache files are generated by XS the user and group who own those files are "Apache" and not me, so I'm not able to chmod the files :? I think I can chmod them by a script but not by ftp.
Subject: Re: Security Issue In Cache Folder
Hi MG,
as i told you yesterday on MSN. i have had probs with that... later i tried again. but it doesnt work.
I still have problems with that an get an blank page, so I set it back to CHMOD 777
cya
as i told you yesterday on MSN. i have had probs with that... later i tried again. but it doesnt work.
I still have problems with that an get an blank page, so I set it back to CHMOD 777
cya
Subject: Re: Security Issue In Cache Folder
I was going to post that exactly... I need to have it chmodded 777
KugeLSichA wrote: [View Post]
I was going to post that exactly... I need to have it chmodded 777
Subject: Respuesta: Security Issue In Cache Folder
I don't know, but i put HTACCES in CACHE folder but with CHMOD 777, performance was low, maybe was the server, maybe not, but i leave it on 777 :shock:
Subject: Re: Security Issue In Cache Folder
ok as a sexurity expert i suggest one thing:
Do you have protection against perl exploits?
These perl exploits are ran from the cmd and usually get in through the bb codes features
How would i know this? One of my friends sites make them..
Do you have protection against perl exploits?
These perl exploits are ran from the cmd and usually get in through the bb codes features
How would i know this? One of my friends sites make them..
Subject: Re: Security Issue In Cache Folder
Yes... I've discovered just 3 days ago one hole in BBCodes, and I should have fixed it. I'm testing the whole things before releasing it as a patch! :wink:
Regarding your expertise... do you want to cooperate with us for making XS more secure? :roll:
TheLastLegion wrote: [View Post]
Yes... I've discovered just 3 days ago one hole in BBCodes, and I should have fixed it. I'm testing the whole things before releasing it as a patch! :wink:
Regarding your expertise... do you want to cooperate with us for making XS more secure? :roll:
Subject: Re: Security Issue In Cache Folder
I've made a lot of test but the .htaccess code is deleted again :(
I'm considering to use the cache process to creata the two files at the end of process for empting the cache.
(on my server I can deny access to the directory on httpd.conf)
I'm considering to use the cache process to creata the two files at the end of process for empting the cache.
(on my server I can deny access to the directory on httpd.conf)
Subject: Re: Security Issue In Cache Folder
Did you try setting HTACCESS permissions to 555?
Antonio Mercurio wrote: [View Post]
Did you try setting HTACCESS permissions to 555?
Subject: Re: Security Issue In Cache Folder
Yes .. I think that the user WEB can override the chmod setting (maybe is set as a near admin).
I'm going to write in httpd.conf a directive for that directory.
I mean: in my webspace the process made by Apache is owned by the user WEB
(I'm also considering to migrate the cache in a directory inside cache so the .htaccess will be a level up related to the cached directory)
The stranghe thing is that another modded that uses part of the sistem cache doesn't remove the index and the .htaccess
Mighty Gorgon wrote: [View Post]
Yes .. I think that the user WEB can override the chmod setting (maybe is set as a near admin).
I'm going to write in httpd.conf a directive for that directory.
I mean: in my webspace the process made by Apache is owned by the user WEB
(I'm also considering to migrate the cache in a directory inside cache so the .htaccess will be a level up related to the cached directory)
The stranghe thing is that another modded that uses part of the sistem cache doesn't remove the index and the .htaccess
Subject: Re: Security Issue In Cache Folder
What is strange is that the function EMPTY CACHE of eXtreme Style doesn't delete the HTACCESS... it should be some other function...
I'll look into it and let you know.
I'll look into it and let you know.
Subject: Re: Security Issue In Cache Folder
I think is the cache system of IM portal but only the pseudo cron setting that clear the directory.
I'm hunting the ,htacces killer :)
Mighty Gorgon wrote: [View Post]
I think is the cache system of IM portal but only the pseudo cron setting that clear the directory.
I'm hunting the ,htacces killer :)
Subject: Re: Security Issue In Cache Folder
I should have fixed this in dev package... :roll:
Try replacing this files in includes.
Try replacing this files in includes.
| lite.rar | ||
| Description: | IM Portal Lite |  Download |
| Filename: | lite.rar | |
| Filesize: | 3.85 KB | |
| Downloaded: | 360 Time(s) | |
Page 1 of 1
You cannot post new topicsYou cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events
This is a "Lo-Fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Powered by Icy Phoenix based on phpBB
Generation Time: 0.1055s (PHP: 20% SQL: 80%)
SQL queries: 12 - Debug Off - GZIP Enabled