Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

forum hacked/deleted by way of settings.php

edited July 2007 in Vanilla 1.0 Help
my forum was taken down today by someone using a php exploit on settings.php i don't have any better details, unfortunately, thats all the hosting company could tell me. wondering if this is a known issue, and how i can go about preventing it from


  • The only natural weakness in settings.php is if you set 777 permissions on it...but i've a feeling it must have been a little more complex than that. You sure the hosting company have no more information? What was the end result?
  • edited June 2007
    this doesn't sound likely. it's more probably related to this problem.

    (a fix is here)
  • edited June 2007
    Or here.

    It seems we have an epidemic of extensions continously updating the configuration file. What extensions do you have installed? I'm sure one of them has this nasty habit.
  • OK, maybe this isin't an epidemic. I searched 100 extensions that I have on hand and only discussion view counters seems to misbehave.

    ithcy's link for a fix would solve that problem as well as any others that might be around.
  • OK, I'm sorry my extensions were shoddily coded - I'm learning. Still they're all updated now, so they shouldn't cause this any more...
  • In fairness, as someone pointed out in another thread, if this was covered in the Core it would help dramatically. I'll drop mark a line..
  • settings.php is not meant to be changed on every load, that's why there is no locking built for it.
  • No it's not meant to be changed every load, but if Mark can relatively easily prevent extension authors from killing Vanilla, this has surely got to be a good thing no?
  • Thought it would be good to plug this proposed fix again, since the fix ithcy linked to wouldn't prevent the bug if some extension decides to write a counter variable or something constantly changing to settings.php.

    Its not exactly locking, but would prevent one Vanilla page load from trying to read settings.php while another instance is trying to write changes.
  • Perhaps some combination of the two fixes can produce one fix to rule them all?
  • sorry for the delay in reply, was out of town. this is the list of extensions i have installed: Custom Styles 2.0 Dice Roller 0.4.1 Extended Text Formatter 1.0 Html Formatter 1.5 Legends 1.0 Mint Stats plugin 1.0 Quotations 1.5 Theme Switcher 0.1 Transmogrifier 1.2 Whisper Notification 0.1 Who's Online 1.1 i'll check out the proposed fix. i was told it was a php exploit hack by the sysadmin of my hosting company, but the last couple emails we've traded have done little to encourage my confidence in his abilities, so this sounds like a much more probable explanation.
  • That's one seriously old version of Html Formatter... might be worth updating your extensions before you do anything else.
This discussion has been closed.