PhotoPlog

Go Back   PhotoPlog > PhotoPlog.com > Miscellaneous Foobar
Screens Demo Purchase Download Register

Reply
Attention: Last reply in this thread was more than 18 Years ago
 
Thread Tools
  #1  
Old 10-25-2006, 05:00 AM
cheesegrits's Avatar
cheesegrits cheesegrits is offline
Orange Plog
 
Join Date: Jun 2006
Posts: 104
Gallery: 2
Comments: 1
Default Safe Mode Requirement

I notice that one of the requirements is "safe mode off." Is this new for 2.1.2, or has this always been a requirement for 'plog? the reason I ask is one of our servers got hacked over the weekend, and it looks like running PHP without safe mode was the culprit. So I'm looking at having to enable safe mode on all my sites. I got a couple of them fixed, uploading attachments still works, etc. Even got vbSEO working in safe mode, with a few changes to .htaccess.

But 'plog is installed on the one site I haven't switched to safe mode yet.

What features of 'plog rely on safe mode being off?

-- hugh
Reply With Quote
  #2  
Old 10-25-2006, 05:54 AM
Morgan's Avatar
Morgan Morgan is offline
Head Plog
Admin
 
Join Date: Dec 2005
Posts: 5,324
Gallery: 10
Comments: 25
Default

Safe mode being off has always been a requirement. It's just listed again with the other requirements. IMHO if anyone wants a gallery, storing files in a database or restricted directory isn't the way to go, as it's too much overhead or lacks flexibility. Personally speaking, I don't think PHP not in safe mode was the problem with your server being hacked. It's more likely that it was due to a bad script or old version of something or other. PhotoPlog needs safe mode off to process files. If you take a run through the code, it is unlikely, though not impossible as I'm not perfect, that you will find a tainted variable. If you have mod_rewrite abilities, this has always been a gem to stick in an htaccess file:
Code:
Content visible to registered users only.
__________________
Please use the forums for support, feature requests, and similar such things. Support does not include custom code, custom template edits, or third-party modifications. PMs and emails to me should be for private information only, such as login information. If you PM or email me a support question, chances are good that I'll ignore it. Thanks.
While the work or play is on, it is a lot of fun if while you are doing one you don't constantly feel that you ought to be doing the other. -- Franklin Pierce Adams
Reply With Quote
  #3  
Old 10-29-2006, 08:40 PM
cheesegrits's Avatar
cheesegrits cheesegrits is offline
Orange Plog
 
Join Date: Jun 2006
Posts: 104
Gallery: 2
Comments: 1
Default

Morgan - please feel free to move this into a different thread, I really don't want to clutter up the release thread with safe mode discussions!

Code:
Content visible to registered users only.
As long as GUID mode is selected rather than UID mode, there's really nothing that restrictive about safe mode when it comes to file uploading and manipulation. It's just a case of being careful about directory / file ownership and permissions.

Code:
Content visible to registered users only.
There is some fairly clear evidence in the logs that PHP was the culprit in the attack. I run the ISP where the server is located, so I also have all the router and firewall logs covering that time fram, and they all point to the same cause. What concerns me is that the server in question was a fresh, vanilla install of vB 3.6.2 with CMPS 2.1.2. No hacks, mods or other scripts. So I'm trying to find the time to do a full post-mortem, and if necessary talk to the vB or CMPS folk.

Code:
Content visible to registered users only.
So what does this do / protect against?

-- hugh

Last edited by cheesegrits; 10-29-2006 at 09:04 PM..
Reply With Quote
  #4  
Old 10-29-2006, 09:15 PM
Morgan's Avatar
Morgan Morgan is offline
Head Plog
Admin
 
Join Date: Dec 2005
Posts: 5,324
Gallery: 10
Comments: 25
Default

It gives an access denied when http:// is part of a query string.
__________________
Please use the forums for support, feature requests, and similar such things. Support does not include custom code, custom template edits, or third-party modifications. PMs and emails to me should be for private information only, such as login information. If you PM or email me a support question, chances are good that I'll ignore it. Thanks.
While the work or play is on, it is a lot of fun if while you are doing one you don't constantly feel that you ought to be doing the other. -- Franklin Pierce Adams
Reply With Quote
  #5  
Old 10-29-2006, 09:48 PM
cheesegrits's Avatar
cheesegrits cheesegrits is offline
Orange Plog
 
Join Date: Jun 2006
Posts: 104
Gallery: 2
Comments: 1
Default

Code:
Content visible to registered users only.
That might help. It's beginning to look like it may have been a cross site hack between vB and openwebmail running on a different virtual domain.

-- hugh
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
GD2 and Safe Mode billp Pre-Sale Questions 1 09-25-2007 04:43 AM
Safe Mode ON bloggy "How Do I..." Questions 7 08-14-2007 06:32 PM
GD2 and 'safe mode' boodog Pre-Sale Questions 1 07-17-2007 04:05 PM
Safe mode restriction in effect but safe mode is off Magnumutz Troubleshooting & Problems 1 01-25-2007 04:03 PM


All times are GMT. The time now is 04:29 PM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.