.txt files with database content in the Uploads folder?

phreak

Hi all,

I'm just about to upgrade some of my boards and test the RC1 releases of Vanilla 2.3. While doing that i looked into the /uploads folder of one of my installations and i saw something i can't explain. The /uploads folder contains several .txt files which seems to database content. Whoa?!

Have a look at the screenshot. How did this happen? What crazy script was injected in my board to retrieve that and put in the folder?

Thanx for info,
phreak

Caylus

Which plugins are enabled on this board? And I assume it was running Vanilla 2.2.1 before you wanted to upgrade it?

phreak

Hi Caylus, yes 2.2.1 and the plugins are:

ActivityPurge
Advanced Editor
Bulk Edit
Conversations Clear Button
Date Separators
Discussion Photos
Flagging Allows users to report content that violates forum rules.
MentionsLookup
OnlineNow
Post Count
Profile Extenderl
Quotes
Signatures
Spoof
Stats Box
Unsubscribe Discussion
Vanilla Statistic
Vanillicon

The board runs now under 2.3rc1. I will see if this behaviour returns.

R_J

It looks like an export. Have you ever made experiments with Vanilla porter? And I would check Comment.txt to see from when the last comment is in order to see if this might be a real danger or some old tests (maybe something that you only forgot and you could remember when seeing some hints)

Linc

Those text files are consistent with the naming pattern our importer uses when parsing a Porter file. If those files are not being automatically removed at the end of the import, it's a security issue. If there was a reproducible file permission error that prevented their deletion, that should at least be highlighted at the end of the process.

https://github.com/vanilla/vanilla/issues/4748

phreak

Thank you @R_J and @Linc. Solved for now. If anything weird pops-up again i let you know.