config.xml settings changed randomly - security issue?

**m0rgulvale** · 08-01-2010 08:12 PM

hi, i am using the latest vbseo and today somehow my config.xml got modified, changing all of my URL structure settings. the file had not been modified for over a few months (when i had authorized the change before). i have a very very long and secure password (and just changed it anyways)

the file was chmod 644 before

i have now chown'ed it to root:root so it can't be written to

is there any logical reason for my settings being randomly changed, assuming it was not a security issue?

i am positive i haven't changed any of the settings myself

i ran this command to look thru the logs:

[root@lazarus logs]# cat access_log | grep vbseo | grep php

some tor server ip here - - [01/Aug/2010:18:14:10 -0400] "POST /vbseocp.php HTTP/1.1" 200 6654
some tor server ip here - - [01/Aug/2010:18:14:26 -0400] "POST /vbseocp.php HTTP/1.1" 200 6654

^ this wasn't me. but is there any way to tell from the POST if this was a login attempt, and if so, was it successful?

please advise
thx

**rocket468** · 08-01-2010 11:13 PM

I have had the same issue with my config file changing. any idea whats going on here? I logged into my site yesterday and the config file was changed. I manaul changed them all and now they got changed again from my settings.

**m0rgulvale** · 08-01-2010 11:16 PM

hey rocket looks like im not alone here

are u also running 3.8.6 pl 1 and the latest vbseo?

vbseo team, any idea what is going on here? for time being i have chowned the config.xml root:root so it can;t be changed

**graham_w** · 08-02-2010 01:36 AM

Yep same thing for me. The config file looks like it was defaulted. I uploaded a backup I had but strange that it has happened to a number of people at the same time.

Running vbulletin 4.0.5 and the latest vbseo.

**Brian Cummiskey** · 08-02-2010 01:47 AM

If you have any logs that can help us identify a possible issue, please submit them via ticket.

As vbseo settings as saved in the vb datastore table (config.xml is merely a 'transport' layer) it could be nearly anything that let them in to effect your database.

**bollie** · 08-02-2010 01:58 AM

Here vbsoe also stopped working the settings were changed. Now all urls in google changed. I have the right settings to place.

**Oleg Ignatiuk** · 08-02-2010 02:22 AM

Hello,

Here vbsoe also stopped working the settings were changed. Now all urls in google changed. I have the right settings to place.

make sure that you had set permissions for config.xml file back to 0644 after configuring vBSEO, as described in vBSEO's readme.html:

# For security purposes CHMOD 644 your 'vB-root/vbseo/resources/xml/config.xml' file after configuring vBSEO.

**graham_w** · 08-02-2010 02:34 AM

Mine was set and is still set at 644.
I have a time and date and now looking through the logs for some info.

**Oleg Ignatiuk** · 08-02-2010 02:48 AM

Perhaps the file was still writable with these permissions (that might happen for instance when apache is running under the same user as your (s)ftp login).

**chronos** · 08-02-2010 02:49 AM

Same thing here.... what's going on?

I don't really know what I'm looking at when I check my config.xml file, but the permissions are set to 644.

**graham_w** · 08-02-2010 03:19 AM

Originally Posted by Oleg Ignatiuk

Perhaps the file was still writable with these permissions (that might happen for instance when apache is running under the same user as your (s)ftp login).

ie when using suphp or similar ?

I've submitted a ticket with some access logs which appear to be related to the change.

**Oleg Ignatiuk** · 08-02-2010 04:23 AM

Update: this security issue may take place in case if the *write permissions were not disabled* after vBSEO installation, which is described in vBSEO's readme.html as chmod config.xml to 0644, but in some cases file ownership needs to be changed, as mentioned above.

The fix is to update vbseocp.php file:
find:

PHP Code:


if (($fl = $_FILES['file']) && $fl['size'])

replace with:

PHP Code:


if (($fl = $_FILES['file']) && $fl['size']  && vBSEO_CP::$logged_in)

**Ky!** · 08-02-2010 04:57 AM

Some for me todays morning. What beginning of the day ! F+++!

**toon** · 08-02-2010 05:01 AM

Originally Posted by Oleg Ignatiuk

Update: this security issue may take place in case if the *write permissions were not disabled* after vBSEO installation, which is described in vBSEO's readme.html as chmod config.xml to 0644, but in some cases file ownership needs to be changed, as mentioned above.

The fix is to update vbseocp.php file:
find:

PHP Code:


if (($fl = $_FILES['file']) && $fl['size'])

replace with:

PHP Code:


if (($fl = $_FILES['file']) && $fl['size']  && vBSEO_CP::$logged_in)

Is this something we all have to do?

**Ceri May** · 08-02-2010 05:04 AM

Originally Posted by Ky!

Some for me todays morning. What beginning of the day ! F+++!

Revert your settings, make sure that you secure the config.xml file to 644 and make sure the patch that Oleg supplied above is added should never happen again then

.

Should be noted that this exploit only works if you have incorrect security on your server IE you either haven't CHmod the file to 644 or you have Apache running on the same user as your FTP, both are big security risks.

config.xml settings changed randomly - security issue?

LinkBack

Thread Tools

Display

config.xml settings changed randomly - security issue?

Similar Threads

WARNING: Your config.xml is not writable. Settings cannot be saved.

Changed the URL Settings

Custom Redirects for changed URL Rewrite Settings

Posting Permissions