htaccess hacked in v1.4.1.6

daviding

Last month, I resolved the hack of my Zenphoto site (and the rest of my web site) through the upgrade to v1.4.1.6 .

Yesterday, I noticed that my Zenphoto site was being redirected, and looked at the .htaccess. At the beginning of .htaccess was ...

>> RewriteRule ^(.*)$ [removed by moderator]

... and the end, lines like ...

>> ErrorDocument 404 [removed by moderator]
I've corrected the problem by removing the offending lines (making doubly sure by copying the .htaccess from another of my Zenphoto web sites) and clearing the cache in my browser. For now, all is well.

Looking at .htaccess via SFTP, I wouldn't have suspected that it had been hacked, as the file still had a date of Dec. 11 (about when I fixed all of these issues).

My question: The permissions of .htaccess seem to be 644. Can/should I change this to something more restrict to preclude such hacks?

I know that 1.4.2 is about to be released. Since I don't appreciate the source of this hack -- I already fixed that TinyMCE issue -- I don't know whether this case is something that will or won't be resolved in the upgrade.

The thread "Zenphoto 1.4.1.6 security update released" at http://www.zenphoto.org/support/topic.php?id=9960 was previously helpful on fixing the TinyMCE issue.

Thanks for your efforts with Zenphoto.

sbillard

Changing the permissions would not have detered the hack as it can just change them to what it wants. 0644 is a pretty secure setting. Any more secure would require testing to see if your server still works with the file.

I really do not understand your questsion about the 1.4.2 upgrade. First the problem has almost nothing to do with TinyMCE--it was a vulnerability of a third party plugin to that software that was used independently of TinyMCE. At any rate, we believe that the hack is not possible with the 1.4.2 release.

daviding

sbillard, I was curious about how the hack might have gotten in.

Since I did the upgrade in December to 1.4.1.6, I now have the experience with .htaccess to resolve the issue. My general nature is to do problem determination, but since the 1.4.2 upgrade is so close to final release, and it takes minutes for me to edit the .htaccess , I'm disinclined to spend more time on this.

You've answered my question that 0644 should be okay. I still don't know how the .htaccess got hacked, but should be satisfied to leave it as a mystery for now.

sbillard

If your .htaccess file has been hacked, it will not be "fixed" by the 1.4.2 update. We do not replace "modified" .htaccess files as it would normally de-implement things our users inteneded.

The hack has been discussed on the forum, so if you want more details please search for these discussions. Basically, the AjaxFilemanager software had no access security, so the hacker was able to make a direct link to its functions and use it to upload and run malicious files.

acrylian

The related topics can easily be found we the security posts on the news section.