Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
WhosOnline addon : Bug causing config.php to be over-written?*
whu606
MVP
I enabled your plugin yesterday on my forum and everything was fine.
This morning the forum stopped working, and I traced it back to the config.php file being overwritten.
I restored the config file, and the forum was fine.
I re-enabled your plugin and within 5 minutes the same thing had occurred, where it seems the config file was being overwritten by an online user who would not otherwise have access to the file.
I can't be certain it was the plugin, but it looks likely.
Just wanted to let you know.
This morning the forum stopped working, and I traced it back to the config.php file being overwritten.
I restored the config file, and the forum was fine.
I re-enabled your plugin and within 5 minutes the same thing had occurred, where it seems the config file was being overwritten by an online user who would not otherwise have access to the file.
I can't be certain it was the plugin, but it looks likely.
Just wanted to let you know.
Tagged:
0
Comments
I should have saved the last config file - but was too panicked to do so!
The config file isn't completely blank.
It had some kind of header, and the message that it was last updated by a user who was just online at that time.
I'll upgrade to 1.3, and if the problem repeats I'll post the config file contents here.
There was an error rendering this rich post.
Sorry for blaming your code!
The same thing just happened while the plugin wasn't enabled.
I'll have to check and see what permissions are going on.
Just for info, the config file gets rewritten to this,:
<?php if (!defined('APPLICATION')) exit();
// Garden
$Configuration['Garden']['Analytics']['LastSentDate'] = '20110117';
// Last edited by Don'tShowAUserName (NEVERshowIP'sInForumThreads)2011-02-06 04:53:14
Thanks for your help anyway, and apologies again for wasting your time.
Don't quote me on this there are a few assumptions, maybe @Mark or @Tim can help you further. But first step is to check for unauthorized access to your host, and ensure any other scripts on your hosting are up to date.
Seems like your not the only one: http://vanillaforums.org/discussion/14757/config-file-hackeds
I think the likelihood of my server being hacked is slim.
I figure it might be some kind of issue in the latest update of Vanilla.
For now, I've just removed any write permissions to config, and will only turn them on if I need to access the file.
Thanks again for your help.