Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Suspected Vulnerability Error

edited July 2006 in Vanilla 1.0 Help
I installed filebrowser on a friend's directory, to get her a simple gallery, and not soon after doing so, her index.html was replaced (either that, or one showed up) using javascript which caused the page to jump all around, and had information on it that indicated her account on the server had been compromised.

http://viki.anim8or.org/evidence/index.html

is the index file. So far, superficial examinations of the file and the directory have pointed to nothing malicious, it appears as if he came in through an exploit in Filebrowser, and simply created an HTML file that makes pages jump around. We've contacted the administrator (another friend of ours) to see if this has anything to do with an old version of PostNuke which we were using at the time I installed Filebrowser if that is the source of the vunerability. I would like to request that this is looked into however, on the application end of things, typical troubleshooting procedure. I'm sure some of you guys know how it is.

Thanks in advance,
Dave

Comments

  • Options
    MarkMark Vanilla Staff
    I am unaware of any vulnerabilities in the Filebrowser. It doesn't allow uploading of files. All file manipulation (through the thumbnailer) is done using php built-in functions that can only be used to resize images and save them. There is almost no user-input allowed in the filebrowser other than integers that get passed in the querystring and are forced into an integer type.

    The short scoop is that I can't possibly see how the filebrowser could be responsible. If you find that it is the filebrowser, I'd love to hear how it was accomplished.
  • Options
    edited July 2006
    We've contacted the administrator (another friend of ours) to see if this has anything to do with an old version of PostNuke which we were using at the time I installed Filebrowser if that is the source of the vunerability.
    DING DING DING DING DING

    PostNuke is notoriously insecure, especially the old versions. Our old PN site was continuously compromised, a problem which magically went away once we switched to wordpress and vanilla.
This discussion has been closed.