Vain teksti | Teksti ja kuvat

Simple Machines Community Forum

Archived Boards and Threads... => Archived Boards => SMF Feedback and Discussion => Aiheen aloitti: Scferg - helmikuu 10, 2008, 12:31:12 AP

Otsikko: Vulnerability??!!
Kirjoitti: Scferg - helmikuu 10, 2008, 12:31:12 AP
Um...I was pointed out by somebody that if you type in:
FORUM-DIRECTORY/index.php~ it'll reveal the whole index.php source.

Did I miss something and should have deleted it?
Otsikko: Re: Vulnerability??!!
Kirjoitti: Scferg - helmikuu 10, 2008, 12:34:14 AP
Well, when I type it in for my forum...it shows the whole code.... like I described

In my forum directory, there's a index.php~ file
Otsikko: Re: Vulnerability??!!
Kirjoitti: vbgamer45 - helmikuu 10, 2008, 12:37:45 AP
It depends on your server configuration and for some configurations it may allow those files to be displayed. This normally is not a security issue unless you have password's or other information that you wish not to share in those files. The ~ are only created if a mod/upgrade package updates those files.
Otsikko: Re: Vulnerability??!!
Kirjoitti: Scferg - helmikuu 10, 2008, 12:38:29 AP
It is chmodded to 666. And it won't allow me to change the permissions. Should I delete it?
Otsikko: Re: Vulnerability??!!
Kirjoitti: Scferg - helmikuu 10, 2008, 12:39:23 AP
I'll just back those files up, delete them and see what happens.
Otsikko: Re: Vulnerability??!!
Kirjoitti: vbgamer45 - helmikuu 10, 2008, 12:41:21 AP
I wouldn't delete them then you can't unistall the mods.
It really issn't a security issue unless you have custom code you do not want to share. Since anyone can download a copy of the SMF code.
Otsikko: Re: Vulnerability??!!
Kirjoitti: Scferg - helmikuu 10, 2008, 12:42:23 AP
Is there any way I could just hide them from the public?
Otsikko: Re: Vulnerability??!!
Kirjoitti: vbgamer45 - helmikuu 10, 2008, 12:44:19 AP
Might want to talk to your host about their configuration if they can block ~ files from being shown or write an htaccess script to deny access to them.
Otsikko: Re: Vulnerability??!!
Kirjoitti: Scferg - helmikuu 10, 2008, 12:46:30 AP
Ok, thanks!

I was panicked for a bit :P
Otsikko: Re: Vulnerability??!!
Kirjoitti: Grudge - helmikuu 10, 2008, 04:54:00 AP
For info you can disable backups from the packages -> options menu if you prefer.
Otsikko: Re: Vulnerability??!!
Kirjoitti: Scferg - helmikuu 10, 2008, 01:18:11 IP
Ok, thanks
Otsikko: Re: Vulnerability??!!
Kirjoitti: 青山 素子 - helmikuu 10, 2008, 01:34:51 IP
If you are on Apache and can use an htaccess file, adding this should stop external access of the files:

Koodi [Valitse]

<FilesMatch "\.(php~)$">
Order Allow,Deny
Deny from all
</FilesMatch>


Note I didn't get a chance to test this.

Also, being able to see the source of these backup files isn't a security issue in and of itself. It only becomes an issue if you embed passwords and the like in the SMF source, which is a very bad practice.
Otsikko: Re: Vulnerability??!!
Kirjoitti: Scferg - helmikuu 10, 2008, 01:36:42 IP
I checked through that whole code for passwords. I know I didn't add anything into that code, but I just wanted to make sure.
Otsikko: Re: Vulnerability??!!
Kirjoitti: 青山 素子 - helmikuu 10, 2008, 01:39:12 IP
The only file that SMF uses to store info for database passwords is Settings.php, and it is backed up to Settings_bak.php to prevent the contents from being shown.

As a warning, if you use an editor directly on the shell of the server, some programs will create a similar backup. This means if you edit Settings.php directly on the server, you might encounter an issue. Just remember to check afterwards if you do this.
Otsikko: Re: Vulnerability??!!
Kirjoitti: Scferg - helmikuu 10, 2008, 01:42:10 IP
Ok -- thanks!
Vain teksti | Teksti ja kuvat