1.3.11r3 has security problems

Scott Auge
2007-07-26
2012-10-11
  • Scott Auge

    Scott Auge - 2007-07-26

    I know, I know - it is plenty old.

    A couple of days ago I started noticing a lot of comments from the comment plugin putting in the ole spam to the wiki. Strippers strippers strippers! And vitamins too!

    Then I noticed that if one wanted to add a new page, it would automatically put one to the AddCommentPlugin page - no new pages! It was a battle between my bot and their bot for deleting and adding comment pages. I have a suspicion they had it set up like that so their bot could simply add pages by hitting the site with any name and have an expected input box there.

    I re-installed the old stuff I had tucked in the corner and it is working OK for now - as well firewalled the IPs that were spamming. I figure one of them were the trouble maker.

    I am doing a more detailed forensic exam and hopefully will come up with something to what they are pulling off.

    Heads up!

     
    • Reini Urban

      Reini Urban - 2007-07-26

      Every wiki version has "security problems", because the default
      settings is to allow anybody to post. AntiSpam measures have to
      be enabled.

      1.3.11 already has ENABLE_CAPTCHA and ENABLE_SPAMASSASSIN.

      You can also simply disable RPC2.php, plugin/AddComment.php, plugin/WikiBlog.php.
      Esp. when fighting against bots.

       
    • mswlogo

      mswlogo - 2007-10-23

      I removed AddComment WikiBlog scripts from the plugin directory, I assume that's how to disable?

      How do you disable RPC2.php? Should I just remove it, code inside seems to indicate it's depreicated, do what exactly should be done here?

       

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks