I found yet another security hole on our site, a 'leftover' from the hacker attack our and loads of other forums/sites were exposed to almost a year ago. It was a quote serious attack, including the creation of several new, fake admin accounts, hijacking of our announcement feature etc. But after this last change, even McAfee has approved our forum (as you can see if you use a McAfee-plugin with your browser).
The whole I found was a so called symlink situation, where external users at least in theory could get access to some of the files on our site which was not in the public area. I write 'in theory', because all they could see, as far as I could tell, was either a white/blank page or an error message telling them to contact the admins and let them know how they got this message.
At any rate – this is good news.
To admins of other forums: When updating the site, I set Transmit, which I use for that kind of work, to merge new files into existing folders, meaning that the old folders weren't overwritten. The main reason for this was to keep compatibility with old medications (like e.g. the custom skins we have used) intact. With a different setting - one which would overwrite a folder with a new folder, this problem would have been fixed a long time ago, because the folder which contained an alias (symbolic link) to the non-public area would have been removed. Unfortunately, none of the many experts in this area warned be about this possible problem, and if I would have had good knowledge about hacking, servers etc, I should of course have known this anyway...
Bookmarks