Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

WhosOnline addon : Bug causing config.php to be over-written?*

whu606whu606 MVP
edited February 2011 in Vanilla 2.0 - 2.8
I enabled your plugin yesterday on my forum and everything was fine.

This morning the forum stopped working, and I traced it back to the config.php file being overwritten.

I restored the config file, and the forum was fine.

I re-enabled your plugin and within 5 minutes the same thing had occurred, where it seems the config file was being overwritten by an online user who would not otherwise have access to the file.

I can't be certain it was the plugin, but it looks likely.

Just wanted to let you know.

Comments

  • @whu606 I can't find anything that would overwrite the config file, as in its then completely blank? However i did find a bug that would allow non admin users to update the whos online settings, which has now been fixed in version 1.3. I recommend you upgrade.
  • Thanks Gary

    I should have saved the last config file - but was too panicked to do so!

    The config file isn't completely blank.

    It had some kind of header, and the message that it was last updated by a user who was just online at that time.

    I'll upgrade to 1.3, and if the problem repeats I'll post the config file contents here.
  • It had some kind of header, and the message that it was last updated by a user who was just online at that time.
    That is very interesting. Which role does that user have? Member? Moderator? Does he have more rights than other users?
    I'll upgrade to 1.3, and if the problem repeats I'll post the config file contents here.
    Careful that you do not post sensitive information. MySQL username and Password are in that file :-)

    There was an error rendering this rich post.

  • Yeah, if you must pm me the file contents.
  • whu606whu606 MVP
    edited February 2011
    Hi Gary

    Sorry for blaming your code!

    The same thing just happened while the plugin wasn't enabled.

    I'll have to check and see what permissions are going on.

    Just for info, the config file gets rewritten to this,:

    <?php if (!defined('APPLICATION')) exit();

    // Garden
    $Configuration['Garden']['Analytics']['LastSentDate'] = '20110117';

    // Last edited by Don'tShowAUserName (NEVERshowIP'sInForumThreads)2011-02-06 04:53:14

    Thanks for your help anyway, and apologies again for wasting your time.
  • edited February 2011
    That's fine. :) However there is definitely a more serious problem somewhere. To me it seems like more of a server issue and that your being hacked, check the logs or get your hosting provider to run some checks. The only reason i think this is that throughout most of vanilla the config options are written using a method "C()" which would not allow for all the options to be deleted and the files are written in one place that cannot be called from outside vanilla itself.

    Don't quote me on this there are a few assumptions, maybe @Mark or @Tim can help you further. But first step is to check for unauthorized access to your host, and ensure any other scripts on your hosting are up to date.

    Seems like your not the only one: http://vanillaforums.org/discussion/14757/config-file-hackeds
  • Thanks for pointing me towards that, Gary.

    I think the likelihood of my server being hacked is slim.

    I figure it might be some kind of issue in the latest update of Vanilla.

    For now, I've just removed any write permissions to config, and will only turn them on if I need to access the file.

    Thanks again for your help.
  • If it was a one off, hacking some servers are very easy. But yeah definitely is vanilla somewhere.
Sign In or Register to comment.