WhosOnline addon : Bug causing config.php to be over-written?*

whu606

I enabled your plugin yesterday on my forum and everything was fine.

This morning the forum stopped working, and I traced it back to the config.php file being overwritten.

I restored the config file, and the forum was fine.

I re-enabled your plugin and within 5 minutes the same thing had occurred, where it seems the config file was being overwritten by an online user who would not otherwise have access to the file.

I can't be certain it was the plugin, but it looks likely.

Just wanted to let you know.

garymardell

@whu606 I can't find anything that would overwrite the config file, as in its then completely blank? However i did find a bug that would allow non admin users to update the whos online settings, which has now been fixed in version 1.3. I recommend you upgrade.

whu606

Thanks Gary

I should have saved the last config file - but was too panicked to do so!

The config file isn't completely blank.

It had some kind of header, and the message that it was last updated by a user who was just online at that time.

I'll upgrade to 1.3, and if the problem repeats I'll post the config file contents here.

UnderDog

It had some kind of header, and the message that it was last updated by a user who was just online at that time.

That is very interesting. Which role does that user have? Member? Moderator? Does he have more rights than other users?

I'll upgrade to 1.3, and if the problem repeats I'll post the config file contents here.

Careful that you do not post sensitive information. MySQL username and Password are in that file :-)

garymardell

Yeah, if you must pm me the file contents.

whu606

Hi Gary

Sorry for blaming your code!

The same thing just happened while the plugin wasn't enabled.

I'll have to check and see what permissions are going on.

Just for info, the config file gets rewritten to this,:

<?php if (!defined('APPLICATION')) exit();

// Garden
$Configuration['Garden']['Analytics']['LastSentDate'] = '20110117';

// Last edited by Don'tShowAUserName (NEVERshowIP'sInForumThreads)2011-02-06 04:53:14

Thanks for your help anyway, and apologies again for wasting your time.

garymardell

That's fine. However there is definitely a more serious problem somewhere. To me it seems like more of a server issue and that your being hacked, check the logs or get your hosting provider to run some checks. The only reason i think this is that throughout most of vanilla the config options are written using a method "C()" which would not allow for all the options to be deleted and the files are written in one place that cannot be called from outside vanilla itself.

Don't quote me on this there are a few assumptions, maybe @Mark or @Tim can help you further. But first step is to check for unauthorized access to your host, and ensure any other scripts on your hosting are up to date.

Seems like your not the only one: http://vanillaforums.org/discussion/14757/config-file-hackeds

whu606

Thanks for pointing me towards that, Gary.

I think the likelihood of my server being hacked is slim.

I figure it might be some kind of issue in the latest update of Vanilla.

For now, I've just removed any write permissions to config, and will only turn them on if I need to access the file.

Thanks again for your help.

garymardell

If it was a one off, hacking some servers are very easy. But yeah definitely is vanilla somewhere.