Quote:
Originally Posted by Getch
Hey guys,
I found a way to be able to edit files on the server from OOTPOU. It doesn't require being logged in either. I will patch it up as well as try to find other similar ways of doing it.
Of course, this might not be how he pulled it off. You'd only figure it out by staring at my code until you saw how you could hack the URL to do it. But, I was able to create a file on the file system, so it should be fixed.
|
Nice going Getch!! Usually a hack job like this past week is just someone who doesn't stare at code(even though it's available if he really wanted to find it) but just throws out a bunch of things until something works, or until all attempts fail, and then he moves on. He obviously knows the file hierarchy within forum software and never directly attacks his doorway.
As an update, it turns out that the 5th league that uses OOTPOU, that didn't get hit, was hiding all links to the utility from the public. Login and account verification via Mambo was necessary before the links, including login, were shown. Although the url's themselves were public, at first glance, the hacker intent on using OOTPOU may have thought it didn't exist and moved on.
Anyway Getch, a quick Google on iframes and other injection methods could give you the same kind of list that the bad guy is using. That may also help.
Thanks again! We certainly appreciate your looking into this.
