PEAK XOOPS - Re: Installer Attack 
Re: Installer Attack
| Target | News |
| Subject | インストーラアタック |
| Summary | XOOPS (Cube2.1も) でinstallフォルダを残しておくと、管理画面で警告が出ます。というのも、installフォルダを経由すれば、DBパスワードなどがダダもれになってしまうからです。ただ現実に、アップグレード時にintallフォルダもアップロードしてしまうとか、installフォ... |
Re: Installer Attack
msg# 1.1
- depth:
- 1
GIJOE
Posts: 4110
Posts: 4110
hi tl.
Quote:
I know several XOOPS sites with '_install' directory.
Attackers can know the sites informations easily via accessing XOOPS_URL/_install/index.php
Of course, there are too many patterns of renaming by users.
(install_, install.bak etc.)
admin.php cannot search all patterns.
Just adding a line checking whether '_INSTALL_CHARSET' is defined or not makes all patterns safe.
(The line is enough light to be ignored)
Thus, I've judged this is worthy code for Protector.
Quote:
tl wrotes:
Well, if people have been reminded constantly by Xoops Admin and don't even bother to remove the install directory, they may deserve to be attacked and not worthy of Protector protection?
I know several XOOPS sites with '_install' directory.
Attackers can know the sites informations easily via accessing XOOPS_URL/_install/index.php
Of course, there are too many patterns of renaming by users.
(install_, install.bak etc.)
admin.php cannot search all patterns.
Just adding a line checking whether '_INSTALL_CHARSET' is defined or not makes all patterns safe.
(The line is enough light to be ignored)
Thus, I've judged this is worthy code for Protector.
Votes:1
Average:10.00
Posts tree
-
Re: Installer Attack
(tl, 2007/6/3 8:22)
-
Re: Installer Attack
(GIJOE, 2007/6/3 17:01)
-
Login