Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

.txt files with database content in the Uploads folder?

Hi all,

I'm just about to upgrade some of my boards and test the RC1 releases of Vanilla 2.3. While doing that i looked into the /uploads folder of one of my installations and i saw something i can't explain. The /uploads folder contains several .txt files which seems to database content. Whoa?!

Have a look at the screenshot. How did this happen? What crazy script was injected in my board to retrieve that and put in the folder?

Thanx for info,
phreak

  • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
  • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
Tagged:

Comments

  • Which plugins are enabled on this board? And I assume it was running Vanilla 2.2.1 before you wanted to upgrade it?

  • Hi Caylus, yes 2.2.1 and the plugins are:

    ActivityPurge
    Advanced Editor
    Bulk Edit
    Conversations Clear Button
    Date Separators
    Discussion Photos
    Flagging Allows users to report content that violates forum rules.
    MentionsLookup
    OnlineNow
    Post Count
    Profile Extenderl
    Quotes
    Signatures
    Spoof
    Stats Box
    Unsubscribe Discussion
    Vanilla Statistic
    Vanillicon

    The board runs now under 2.3rc1. I will see if this behaviour returns.

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
  • It looks like an export. Have you ever made experiments with Vanilla porter? And I would check Comment.txt to see from when the last comment is in order to see if this might be a real danger or some old tests (maybe something that you only forgot and you could remember when seeing some hints)

  • LincLinc Admin
    edited November 2016

    Those text files are consistent with the naming pattern our importer uses when parsing a Porter file. If those files are not being automatically removed at the end of the import, it's a security issue. If there was a reproducible file permission error that prevented their deletion, that should at least be highlighted at the end of the process.

    https://github.com/vanilla/vanilla/issues/4748

  • Thank you @R_J and @Linc. Solved for now. If anything weird pops-up again i let you know.

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
Sign In or Register to comment.