Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Config.php got overwritten by a forum user.

edited April 2011 in Vanilla 2.0 - 2.8
Today I saw an error page on my forum and I noticed that the config.php got overwritten somehow. The uploads directory also got changed to 755 instead of 777.

config.php

<?php if (!defined('APPLICATION')) exit(); // Garden $Configuration['Garden']['Analytics']['LastSentDate'] = '20110117'; // Last edited by Bob (76.121.59.*)2011-04-02 18:11:29

The user (Bob) is an admin on Vanilla forums but he doesn't have shell access. He said he just opened the main page and this happened.

Does anyone know what happened?

Comments

  • LincLinc Detroit Admin
    It wasn't malicious, it was likely a software glitch.

    @Tim
  • Is there anything I can do to prevent this?
  • lucluc ✭✭
    edited April 2011
    If you're sure you won't need any change, make the config file readonly.
  • If you're sure you won't need any change, make the config file readonly.
    Then I can't change any plugins.
  • Is there anything I can do to prevent this?
    Isn't the problem solved with 2.0.19 ?

    There was an error rendering this rich post.

  • lucluc ✭✭
    2.0.17.9 you mean?
    Nothing much changed there except security issue regarding cookies.
    @Bottiger: indeed yes.
    But either you give admin rights to other users and trust them, or you restrict writing to it at shell level. Once it's setup, I don't see much use to modify parameters often.

    As for writing the file just by viewing, it might be just as Lincoln said. Normally, I'd say nothing was changed in the file.
  • Isn't the problem solved with 2.0.19 ?
    I've just seen it in 2.0.17.10.
  • TimTim Operations Vanilla Staff
    Part of why we rewrote Analytics in 2.0.18 was because the version in 2.0.17.10 was writing to the config file on every pageview in order to record/check its state. This caused some race conditions and resulted in the config file getting wiped.

    2.0.18 fixes that.

    Vanilla Forums COO [GitHub, Twitter, About.me]

Sign In or Register to comment.