Config.php got overwritten by a forum user.

Bottiger · April 2011

Today I saw an error page on my forum and I noticed that the config.php got overwritten somehow. The uploads directory also got changed to 755 instead of 777.

config.php


<?php if (!defined('APPLICATION')) exit();

// Garden
$Configuration['Garden']['Analytics']['LastSentDate'] = '20110117';

// Last edited by Bob (76.121.59.*)2011-04-02 18:11:29

The user (Bob) is an admin on Vanilla forums but he doesn't have shell access. He said he just opened the main page and this happened.

Does anyone know what happened?

Linc · April 2011

It wasn't malicious, it was likely a software glitch.

@Tim

Bottiger · April 2011

Is there anything I can do to prevent this?

luc · April 2011

If you're sure you won't need any change, make the config file readonly.

Bottiger · April 2011

If you're sure you won't need any change, make the config file readonly.

Then I can't change any plugins.

UnderDog · April 2011

Is there anything I can do to prevent this?

Isn't the problem solved with 2.0.19 ?

luc · April 2011

2.0.17.9 you mean?
Nothing much changed there except security issue regarding cookies.
@Bottiger: indeed yes.
But either you give admin rights to other users and trust them, or you restrict writing to it at shell level. Once it's setup, I don't see much use to modify parameters often.

As for writing the file just by viewing, it might be just as Lincoln said. Normally, I'd say nothing was changed in the file.

dandv · June 2011

Isn't the problem solved with 2.0.19 ?

I've just seen it in 2.0.17.10.

Tim · June 2011

Part of why we rewrote Analytics in 2.0.18 was because the version in 2.0.17.10 was writing to the config file on every pageview in order to record/check its state. This caused some race conditions and resulted in the config file getting wiped.

2.0.18 fixes that.

Config.php got overwritten by a forum user.

Comments