Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

.txt files with database content in the Uploads folder?

phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP

Hi all,

I'm just about to upgrade some of my boards and test the RC1 releases of Vanilla 2.3. While doing that i looked into the /uploads folder of one of my installations and i saw something i can't explain. The /uploads folder contains several .txt files which seems to database content. Whoa?!

Have a look at the screenshot. How did this happen? What crazy script was injected in my board to retrieve that and put in the folder?

Thanx for info,
phreak

  • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
  • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
Tagged:

Comments

  • Which plugins are enabled on this board? And I assume it was running Vanilla 2.2.1 before you wanted to upgrade it?

  • phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP

    Hi Caylus, yes 2.2.1 and the plugins are:

    ActivityPurge
    Advanced Editor
    Bulk Edit
    Conversations Clear Button
    Date Separators
    Discussion Photos
    Flagging Allows users to report content that violates forum rules.
    MentionsLookup
    OnlineNow
    Post Count
    Profile Extenderl
    Quotes
    Signatures
    Spoof
    Stats Box
    Unsubscribe Discussion
    Vanilla Statistic
    Vanillicon

    The board runs now under 2.3rc1. I will see if this behaviour returns.

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    It looks like an export. Have you ever made experiments with Vanilla porter? And I would check Comment.txt to see from when the last comment is in order to see if this might be a real danger or some old tests (maybe something that you only forgot and you could remember when seeing some hints)


    Caylusphreak
  • LincLinc Director of Development Detroit Vanilla Staff
    edited November 2016

    Those text files are consistent with the naming pattern our importer uses when parsing a Porter file. If those files are not being automatically removed at the end of the import, it's a security issue. If there was a reproducible file permission error that prevented their deletion, that should at least be highlighted at the end of the process.

    https://github.com/vanilla/vanilla/issues/4748

    phreak
  • phreakphreak Vanilla*APP (White Label) & Vanilla*Skins Shop MVP

    Thank you @R_J and @Linc. Solved for now. If anything weird pops-up again i let you know.

    • VanillaAPP | iOS & Android App for Vanilla - White label app for Vanilla Forums OS
    • VanillaSkins | Plugins, Themes, Graphics and Custom Development for Vanilla
Sign In or Register to comment.