PEAK XOOPS - Re: Installer Attack in englishin japanese

Re: Installer Attack

Target News
Subject インストーラアタック
Summary XOOPS (Cube2.1も) でinstallフォルダを残しておくと、管理画面で警告が出ます。というのも、installフォルダを経由すれば、DBパスワードなどがダダもれになってしまうからです。ただ現実に、アップグレード時にintallフォルダもアップロードしてしまうとか、installフォ...

List posts in the topic

none Re: Installer Attack

msg# 1.1
Previous post - Next post | Parent - No child | Posted on 2007/6/3 17:01 | Last modified
GIJOE  先任軍曹   Posts: 4110
hi tl.


tl wrotes:
Well, if people have been reminded constantly by Xoops Admin and don't even bother to remove the install directory, they may deserve to be attacked and not worthy of Protector protection?

I know several XOOPS sites with '_install' directory.
Attackers can know the sites informations easily via accessing XOOPS_URL/_install/index.php

Of course, there are too many patterns of renaming by users.
(install_, install.bak etc.)
admin.php cannot search all patterns.

Just adding a line checking whether '_INSTALL_CHARSET' is defined or not makes all patterns safe.
(The line is enough light to be ignored)

Thus, I've judged this is worthy code for Protector.
Votes:1 Average:10.00

Posts tree

  Advanced search

Username or e-mail:


Remember Me

Lost Password?

Register now!