Ummmm GoogleBot over wrote my config file

jackjitsu

Version 2.0.18.8

The timestamp on my config file changed and after viewing it, THIS was at the end of the file:

// Last edited by Unknown (66.249.73.57)2014-02-06 13:31:19

That is googlebot.

My site uses the facebook,google,openid,twitter auto-login functionality.
Not sure how googlebot got to the Dashboard and over wrote my config file. SCARY.

Any theories???

x00

I doubt that. it is most likely a cron operation. The ip is just the request that triggered the change.

There is no reason why google bot would try to write to any file.

hgtonight

Any plugin that changes the config when a page or link is visited while not logged in could cause this. I can't think of any off the top of my head.

Would you mind listing the plugins you have installed?

jackjitsu

It's not a cron. I run on a dedicated server and control all cron jobs.

The config file is typically over written when I log into the dashboard and modify a plugin or something.

So I was kinda shocked to see the config file had been changed and the change stamp showed UNKNOWN with an IP address belonging to googlebot.

Are there times Vanilla over writes the config file for other reasons?

Ive seen it changed before, but it was by another legit username. Im worried people and bots are somehow accessing the dashboard.

Has anyone seen this behavior on one of their sites?

hgtonight

Any plugin can save information to the config. Any changes to the config are written to the disk (along with the timestamp info).

My guess is you have a plugin that changes the config, but doesn't check permissions OR your guest permissions allow accessing a link that updates the config.

Please list your enabled plugins and your guest permissions.

jackjitsu

Active plugin list

Add Menu
All Viewed  
BotStop
Emotify 
Facebook
Filter Star
Flagging
Formatting
Google Sign In
ImageUpload
In This Discussion
IndexPhotos
Karma Bank
Marketplace
Mediator
NBBC
NoAvatar
OpenID
Peregrine Badges
PM
Pockets
Purchase Premium Roles
Q&A
Quotes
Sitemaps
Spoof
Stop Forum Spam
Tagging
Tapatalk
Thankful People
TopPosters
Twitter
Vanilla SEO
VShare
Web Title
WYSIWYG (CLEditor)

jackjitsu

GAH.... I listed each plugin on a separate line and it got reformatted. Sorry.

So is anyone even aware of a plugin over writing a config file on behalf of a guest user?

Is that even possible? Seems like it would have a lot of security implications.

x00

So is anyone even aware of a plugin over writing a config file on behalf of a guest user?

all the time. it is isn't on behalf a a user, it is just using request time.

that info is misleading you, you are putting too much significance on the IP. That IP is just there if there were manual setting made. If the file was edited directly you would really get that stamp, unless it was forged.

It's not a cron. I run on a dedicated server and control all cron jobs.

it is a request triggered cron not a true scheduled cron.

jackjitsu

Roger on the cron.

The linux filestamp time and the timestamp inside of config.php match.

That IP is just there if there were manual setting made.

Could you expand on this? What do you mean if manual settings were made?

Also, if this is the case, then most sites should have config files that have been over written by a guest user. Have people seen this?

hgtonight

That is a lot of plugins.

Here is what I would do.

1. Post a screenshot of your guest role permissions
2. Search through the plugins folder/files for the function call 'SaveToConfig'
3. For each one of those hits (should be relatively low <36 my guess) look for a permissions check
4. Post the names of any plugin you can't find a permissions check on

P.S. It looks like you have NBBC enabled. Unless you are specifically using it for something, bbcode support is in the core making this plugin redundant.

hgtonight

Plugins that potentially save to config by a non-sessioned user:

• Karmabank: Structure is potentially called on every request for hot updating the structure
• MarketPlace: Init calls MarketTransaction::PurgeTransactionMeta(); without checking permissions
• PurchasePremiumRoles: Structure is potentially called on every request for hot updating the structure
• Tagging: Discussions/Tagged updates the config without checking permissions

None of these are security leaks.

jackjitsu

Here is an fgrep of SaveToConfig
./PurchasePremiumRoles/default.php: SaveToConfig('Plugins.PurchasePremiumRoles.Version', $this->PluginInfo['Version']); ./MarketPlace/class.markettransactionmodel.php: SaveToConfig(array('Plugins.MarketPlace.MetaPurgeLast'=>time())); ./MarketPlace/default.php: SaveToConfig($Settings); ./MarketPlace/default.php: SaveToConfig($Settings); ./MarketPlace/default.php: SaveToConfig($Settings); ./MarketPlace/default.php: SaveToConfig('Plugins.MarketPlace.Version', $this->PluginInfo['Version']); ./MarketPlace/default.php: SaveToConfig(array('Plugins.MarketPlace.Gateway.PayPal.Account'=>C('Plugins.PremiumAccounts.PayPalAccount'),'Plugins.MarketPlace.Gateway.PayPal.AccountType'=>C('Plugins.PremiumAccounts.AccountType'))); ./embedvanilla/class.embedvanilla.plugin.php: SaveToConfig('Plugins.EmbedVanilla.RemoteUrl', $RemoteUrl); ./PM/class.pm.plugin.php: SaveToConfig('Plugin.PM.Text', 'PM'); ./RoleBadges/class.RoleBadges.plugin.php: SaveToConfig( 'Plugins.RoleBadges.BadgeLocation', '1' ); ./RegisterPM/default.php: SaveToConfig("RegisterPM.ThePM", "Hey! Welcome to our forums!");^M ./StopForumSpam/class.stopforumspam.plugin.php: SaveToConfig('Plugins.StopForumSpam.UserID', $UserID, array('CheckExisting' => TRUE)); ./FilterStar/class.filterstar.plugin.php: SaveToConfig('Plugins.FilterStar.Replacement', '');^M ./Flagging/class.flagging.plugin.php: SaveToConfig('Plugins.Flagging.NotifyUsers', array_values($NotifyUsers)); ./Flagging/class.flagging.plugin.php: SaveToConfig('Plugins.Flagging.Enabled', TRUE); ./GettingStarted/default.php: SaveToConfig($Step, '1'); ./VanillaSEO/class.vanillaseo.plugin.php: SaveToConfig('Plugins.SEO.DynamicTitles.'.$field, $Sender->Form->GetValue($field));^M ./VanillaSEO/class.vanillaseo.plugin.php: SaveToConfig('Plugins.SEO.Enabled', TRUE);^M ./Voting/class.voting.plugin.php: SaveToConfig('Plugins.Voting.Enabled', C('Plugins.Voting.Enabled') ? FALSE : TRUE); ./Voting/class.voting.plugin.php: SaveToConfig('Vanilla.Comments.AutoOffset', TRUE); ./Voting/class.voting.plugin.php:// SaveToConfig('Vanilla.Categories.Use', FALSE); ./Voting/class.voting.plugin.php:// SaveToConfig('Vanilla.Comments.AutoOffset', FALSE); ./UsersOnline/class.usersonline.plugin.php: SaveToConfig('Plugin.UsersOnline.ExpLength', 'num5');^M ./UsersOnline/class.usersonline.plugin.php: SaveToConfig('Plugin.UsersOnline.MsgTxt', 'users online');^M ./KarmaBank/default.php: SaveToConfig('Plugins.KarmaBank.CommentShowBalance',$FormValues['CommentShowBalance']); ./KarmaBank/default.php: SaveToConfig('Plugins.KarmaBank.StartingBalance', number_format(GetValue('StartingBalance',$FormValues),2,'.','')); ./KarmaBank/default.php: SaveToConfig('Plugins.KarmaBank.Enabled',TRUE); ./KarmaBank/default.php: SaveToConfig('Plugins.KarmaBank.Enabled',FALSE); ./KarmaBank/default.php: SaveToConfig('Plugins.KarmaBank.Version', $this->PluginInfo['Version']); ./BotStop/class.BotStop.plugin.php: SaveToConfig('Plugins.BotStop.Question', 'What is three plus three?');^M ./BotStop/class.BotStop.plugin.php: SaveToConfig('Plugins.BotStop.Answer1', '6');^M ./BotStop/class.BotStop.plugin.php: SaveToConfig('Plugins.BotStop.Answer2', 'six');^M ./SplitMerge/class.splitmerge.plugin.php: SaveToConfig('Vanilla.AdminCheckboxes.Use', TRUE); ./Quotes/class.quotes.plugin.php: SaveToConfig('Garden.Html.SafeStyles', FALSE); ./Signatures/class.signatures.plugin.php: SaveToConfig('Plugins.Signatures.Enabled', C('Plugins.Signatures.Enabled') ? FALSE : TRUE); ./Twitter/class.twitter.plugin.php: SaveToConfig($Settings); ./Formatting/class.formatting.plugin.php: SaveToConfig('Plugins.Formatting.Enabled', TRUE); ./Formatting/class.formatting.plugin.php: SaveToConfig('Plugins.Formatting.Enabled', FALSE); ./Pockets/class.pockets.plugin.php: SaveToConfig('Plugins.Pockets.ShowLocations', TRUE); ./Pockets/class.pockets.plugin.php: SaveToConfig('Plugins.Pockets.ShowLocations', FALSE, array('RemoveEmpty' => TRUE)); ./Pockets/class.pockets.plugin.php:// SaveToConfig('Plugins.Pockets.ShowLocations', $ShowLocations); ./Tagging/class.tagging.plugin.php: SaveToConfig(array( ./Tagging/class.tagging.plugin.php: SaveToConfig('Plugins.Tagging.Enabled', C('Plugins.Tagging.Enabled') ? FALSE : TRUE); ./Facebook/class.facebook.plugin.php: SaveToConfig($Settings); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Garden.SignIn.Popup', FALSE); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Garden.Authenticators.handshake.Name', 'VanillaConnect'); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Garden.Authenticators.handshake.CookieName', 'VanillaHandshake'); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Garden.Authenticators.handshake.TokenLifetime', 0); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Garden.Authenticator.DefaultScheme', 'handshake'); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Plugins.VanillaConnect.Enabled', TRUE); ./Emotify/class.emotify.plugin.php: //SaveToConfig('Plugins.Emotify.FormatEmoticons', TRUE); ./Emotify/class.emotify.plugin.php: SaveToConfig('Garden.Format.Hashtags', FALSE); // Autohashing to search is incompatible with emotify

jackjitsu

NOTE: Not all of the above are ACTIVE. Only the ones previously listed.

hgtonight

Please see my analysis at: http://vanillaforums.org/discussion/comment/202447/#Comment_202447

jackjitsu

Guest Role screenshot

http://i.imgur.com/E2YyxSV.jpg

jackjitsu

I would wager you are correct about the Tagging plugin being the culprit. The others are not touched enough and when they are, they leave timestamps I can compare to the config file timestamp which dont match. I could be wrong though.

peregrine

But the biggest threat - If you are worried about security

is using an insecure version of vanilla instead of 2.0.18.10

which would take 5 minutes on am installation that has no core modifications.

jackjitsu

My bad.... I actually did the upgrade to 2.0.18.10 a while ago.

Skimmed my config file for the version number, saw this, and posted it
$Configuration['Conversations']['Version'] = '2.0.18.8';

peregrine

for what its worth. every time I upgrade I look in index.php. to find real version number and then I go through config.php and update the config.php with correct version numbers in following statements.

$Configuration['Conversations']['Version'] = '2.0.18.8';
$Configuration['Garden']['Version'] = '2.0.18.8';

to reflect the real version I am using.

Some plugins may try to get the version of vanilla via config.php (which is not the greatest idea, since the version in config.php is not auto-updated). instead of using a version function.

by updating the config.php to reflect correct versions - you are more consistent and less prone to potential problems with plugins that might use the read config for version method instead of using a version function to get version. Although a plugin reading config to get version number would be a bad way to go anyway, since it is not auto-updated with version numbers.

jackjitsu

Good to know! Last thing I need is side effects after an upgrade like that.

Ill update my config file. THANKS!