Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Ummmm GoogleBot over wrote my config file

Version 2.0.18.8

The timestamp on my config file changed and after viewing it, THIS was at the end of the file:

// Last edited by Unknown (66.249.73.57)2014-02-06 13:31:19

That is googlebot.

My site uses the facebook,google,openid,twitter auto-login functionality.
Not sure how googlebot got to the Dashboard and over wrote my config file. SCARY.

Any theories???

Comments

  • Options

    I doubt that. it is most likely a cron operation. The ip is just the request that triggered the change.

    There is no reason why google bot would try to write to any file.

    grep is your friend.

  • Options
    hgtonighthgtonight ∞ · New MVP

    Any plugin that changes the config when a page or link is visited while not logged in could cause this. I can't think of any off the top of my head.

    Would you mind listing the plugins you have installed?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Options

    It's not a cron. I run on a dedicated server and control all cron jobs.

    The config file is typically over written when I log into the dashboard and modify a plugin or something.

    So I was kinda shocked to see the config file had been changed and the change stamp showed UNKNOWN with an IP address belonging to googlebot.

    Are there times Vanilla over writes the config file for other reasons?

    Ive seen it changed before, but it was by another legit username. Im worried people and bots are somehow accessing the dashboard.

    Has anyone seen this behavior on one of their sites?

  • Options
    hgtonighthgtonight ∞ · New MVP

    Any plugin can save information to the config. Any changes to the config are written to the disk (along with the timestamp info).

    My guess is you have a plugin that changes the config, but doesn't check permissions OR your guest permissions allow accessing a link that updates the config.

    Please list your enabled plugins and your guest permissions.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Options
    jackjitsujackjitsu ✭✭
    edited February 2014

    Active plugin list

    Add Menu
    All Viewed  
    BotStop
    Emotify 
    Facebook
    Filter Star
    Flagging
    Formatting
    Google Sign In
    ImageUpload
    In This Discussion
    IndexPhotos
    Karma Bank
    Marketplace
    Mediator
    NBBC
    NoAvatar
    OpenID
    Peregrine Badges
    PM
    Pockets
    Purchase Premium Roles
    Q&A
    Quotes
    Sitemaps
    Spoof
    Stop Forum Spam
    Tagging
    Tapatalk
    Thankful People
    TopPosters
    Twitter
    Vanilla SEO
    VShare
    Web Title
    WYSIWYG (CLEditor)
    
  • Options

    GAH.... I listed each plugin on a separate line and it got reformatted. Sorry.

    So is anyone even aware of a plugin over writing a config file on behalf of a guest user?

    Is that even possible? Seems like it would have a lot of security implications.

  • Options

    So is anyone even aware of a plugin over writing a config file on behalf of a guest user?

    all the time. it is isn't on behalf a a user, it is just using request time.

    that info is misleading you, you are putting too much significance on the IP. That IP is just there if there were manual setting made. If the file was edited directly you would really get that stamp, unless it was forged.

    It's not a cron. I run on a dedicated server and control all cron jobs.

    it is a request triggered cron not a true scheduled cron.

    grep is your friend.

  • Options

    Roger on the cron.

    The linux filestamp time and the timestamp inside of config.php match.

    That IP is just there if there were manual setting made.

    Could you expand on this? What do you mean if manual settings were made?

    Also, if this is the case, then most sites should have config files that have been over written by a guest user. Have people seen this?

  • Options
    hgtonighthgtonight ∞ · New MVP

    That is a lot of plugins.

    Here is what I would do.

    1. Post a screenshot of your guest role permissions
    2. Search through the plugins folder/files for the function call 'SaveToConfig'
    3. For each one of those hits (should be relatively low <36 my guess) look for a permissions check
    4. Post the names of any plugin you can't find a permissions check on

    P.S. It looks like you have NBBC enabled. Unless you are specifically using it for something, bbcode support is in the core making this plugin redundant.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Options
    hgtonighthgtonight ∞ · New MVP

    Plugins that potentially save to config by a non-sessioned user:

    • Karmabank: Structure is potentially called on every request for hot updating the structure
    • MarketPlace: Init calls MarketTransaction::PurgeTransactionMeta(); without checking permissions
    • PurchasePremiumRoles: Structure is potentially called on every request for hot updating the structure
    • Tagging: Discussions/Tagged updates the config without checking permissions

    None of these are security leaks.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Options

    Here is an fgrep of SaveToConfig
    ./PurchasePremiumRoles/default.php: SaveToConfig('Plugins.PurchasePremiumRoles.Version', $this->PluginInfo['Version']); ./MarketPlace/class.markettransactionmodel.php: SaveToConfig(array('Plugins.MarketPlace.MetaPurgeLast'=>time())); ./MarketPlace/default.php: SaveToConfig($Settings); ./MarketPlace/default.php: SaveToConfig($Settings); ./MarketPlace/default.php: SaveToConfig($Settings); ./MarketPlace/default.php: SaveToConfig('Plugins.MarketPlace.Version', $this->PluginInfo['Version']); ./MarketPlace/default.php: SaveToConfig(array('Plugins.MarketPlace.Gateway.PayPal.Account'=>C('Plugins.PremiumAccounts.PayPalAccount'),'Plugins.MarketPlace.Gateway.PayPal.AccountType'=>C('Plugins.PremiumAccounts.AccountType'))); ./embedvanilla/class.embedvanilla.plugin.php: SaveToConfig('Plugins.EmbedVanilla.RemoteUrl', $RemoteUrl); ./PM/class.pm.plugin.php: SaveToConfig('Plugin.PM.Text', 'PM'); ./RoleBadges/class.RoleBadges.plugin.php: SaveToConfig( 'Plugins.RoleBadges.BadgeLocation', '1' ); ./RegisterPM/default.php: SaveToConfig("RegisterPM.ThePM", "Hey! Welcome to our forums!");^M ./StopForumSpam/class.stopforumspam.plugin.php: SaveToConfig('Plugins.StopForumSpam.UserID', $UserID, array('CheckExisting' => TRUE)); ./FilterStar/class.filterstar.plugin.php: SaveToConfig('Plugins.FilterStar.Replacement', '');^M ./Flagging/class.flagging.plugin.php: SaveToConfig('Plugins.Flagging.NotifyUsers', array_values($NotifyUsers)); ./Flagging/class.flagging.plugin.php: SaveToConfig('Plugins.Flagging.Enabled', TRUE); ./GettingStarted/default.php: SaveToConfig($Step, '1'); ./VanillaSEO/class.vanillaseo.plugin.php: SaveToConfig('Plugins.SEO.DynamicTitles.'.$field, $Sender->Form->GetValue($field));^M ./VanillaSEO/class.vanillaseo.plugin.php: SaveToConfig('Plugins.SEO.Enabled', TRUE);^M ./Voting/class.voting.plugin.php: SaveToConfig('Plugins.Voting.Enabled', C('Plugins.Voting.Enabled') ? FALSE : TRUE); ./Voting/class.voting.plugin.php: SaveToConfig('Vanilla.Comments.AutoOffset', TRUE); ./Voting/class.voting.plugin.php:// SaveToConfig('Vanilla.Categories.Use', FALSE); ./Voting/class.voting.plugin.php:// SaveToConfig('Vanilla.Comments.AutoOffset', FALSE); ./UsersOnline/class.usersonline.plugin.php: SaveToConfig('Plugin.UsersOnline.ExpLength', 'num5');^M ./UsersOnline/class.usersonline.plugin.php: SaveToConfig('Plugin.UsersOnline.MsgTxt', 'users online');^M ./KarmaBank/default.php: SaveToConfig('Plugins.KarmaBank.CommentShowBalance',$FormValues['CommentShowBalance']); ./KarmaBank/default.php: SaveToConfig('Plugins.KarmaBank.StartingBalance', number_format(GetValue('StartingBalance',$FormValues),2,'.','')); ./KarmaBank/default.php: SaveToConfig('Plugins.KarmaBank.Enabled',TRUE); ./KarmaBank/default.php: SaveToConfig('Plugins.KarmaBank.Enabled',FALSE); ./KarmaBank/default.php: SaveToConfig('Plugins.KarmaBank.Version', $this->PluginInfo['Version']); ./BotStop/class.BotStop.plugin.php: SaveToConfig('Plugins.BotStop.Question', 'What is three plus three?');^M ./BotStop/class.BotStop.plugin.php: SaveToConfig('Plugins.BotStop.Answer1', '6');^M ./BotStop/class.BotStop.plugin.php: SaveToConfig('Plugins.BotStop.Answer2', 'six');^M ./SplitMerge/class.splitmerge.plugin.php: SaveToConfig('Vanilla.AdminCheckboxes.Use', TRUE); ./Quotes/class.quotes.plugin.php: SaveToConfig('Garden.Html.SafeStyles', FALSE); ./Signatures/class.signatures.plugin.php: SaveToConfig('Plugins.Signatures.Enabled', C('Plugins.Signatures.Enabled') ? FALSE : TRUE); ./Twitter/class.twitter.plugin.php: SaveToConfig($Settings); ./Formatting/class.formatting.plugin.php: SaveToConfig('Plugins.Formatting.Enabled', TRUE); ./Formatting/class.formatting.plugin.php: SaveToConfig('Plugins.Formatting.Enabled', FALSE); ./Pockets/class.pockets.plugin.php: SaveToConfig('Plugins.Pockets.ShowLocations', TRUE); ./Pockets/class.pockets.plugin.php: SaveToConfig('Plugins.Pockets.ShowLocations', FALSE, array('RemoveEmpty' => TRUE)); ./Pockets/class.pockets.plugin.php:// SaveToConfig('Plugins.Pockets.ShowLocations', $ShowLocations); ./Tagging/class.tagging.plugin.php: SaveToConfig(array( ./Tagging/class.tagging.plugin.php: SaveToConfig('Plugins.Tagging.Enabled', C('Plugins.Tagging.Enabled') ? FALSE : TRUE); ./Facebook/class.facebook.plugin.php: SaveToConfig($Settings); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Garden.SignIn.Popup', FALSE); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Garden.Authenticators.handshake.Name', 'VanillaConnect'); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Garden.Authenticators.handshake.CookieName', 'VanillaHandshake'); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Garden.Authenticators.handshake.TokenLifetime', 0); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Garden.Authenticator.DefaultScheme', 'handshake'); ./Facebook/class.facebook.plugin.php:// SaveToConfig('Plugins.VanillaConnect.Enabled', TRUE); ./Emotify/class.emotify.plugin.php: //SaveToConfig('Plugins.Emotify.FormatEmoticons', TRUE); ./Emotify/class.emotify.plugin.php: SaveToConfig('Garden.Format.Hashtags', FALSE); // Autohashing to search is incompatible with emotify

  • Options

    NOTE: Not all of the above are ACTIVE. Only the ones previously listed.

  • Options
    hgtonighthgtonight ∞ · New MVP

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • Options

    Guest Role screenshot

    http://i.imgur.com/E2YyxSV.jpg

  • Options

    I would wager you are correct about the Tagging plugin being the culprit. The others are not touched enough and when they are, they leave timestamps I can compare to the config file timestamp which dont match. I could be wrong though.

  • Options

    But the biggest threat - If you are worried about security

    is using an insecure version of vanilla instead of 2.0.18.10

    which would take 5 minutes on am installation that has no core modifications.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options

    My bad.... I actually did the upgrade to 2.0.18.10 a while ago.

    Skimmed my config file for the version number, saw this, and posted it
    $Configuration['Conversations']['Version'] = '2.0.18.8';

  • Options
    peregrineperegrine MVP
    edited February 2014

    for what its worth. every time I upgrade I look in index.php. to find real version number and then I go through config.php and update the config.php with correct version numbers in following statements.

    $Configuration['Conversations']['Version'] = '2.0.18.8';
    $Configuration['Garden']['Version'] = '2.0.18.8';
    

    to reflect the real version I am using.

    Some plugins may try to get the version of vanilla via config.php (which is not the greatest idea, since the version in config.php is not auto-updated). instead of using a version function.

    by updating the config.php to reflect correct versions - you are more consistent and less prone to potential problems with plugins that might use the read config for version method instead of using a version function to get version. Although a plugin reading config to get version number would be a bad way to go anyway, since it is not auto-updated with version numbers.

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options

    Good to know! Last thing I need is side effects after an upgrade like that.

    Ill update my config file. THANKS!

Sign In or Register to comment.