Hi all,

Just had my website running PP1.5 suspended. Apparently someone placed a phishing app on my space inside the 'images' folder

/images/bankofamerica/bankofamerica/bankofamerica/onlineid.signin/bankofamerica/online_bofa_banking/e-online-banking/

My host has now removed these files and said that someone must have been able to take advantage of a vulnerability in the software I was using.

I thought it would be my duty to let everyone know and I hope those with more knowledge can look into this and fix PixelPost (if it's the software that's at fault).

Any questions, PM me.

Thanks.

This was probably caused by having the images folder completely open. (777)

If you can successfully, upload images to Pixelpost if the folder is set to 755, by all means do that.

To make things clear: This was not an error caused by PixelPost but simply uses the open folder to place files in there.

Basically, if you're setup requires a chmod 777 to function this is misconfiguration by your hosting company. However, there are solutions for PixelPost 1.6. I've developed a security addon which enables you to open your folders for writing during upload through FTP and close them after upload.

That way you're save.

You guys were right. I've set it to 777 for some reason. Rectified now.
Thanks for support.

Further problems:

Now it's set to 755 and it says it can't write to it.
Tried to upload an image and got:

"Missing data
You need at least a title for your image, and an image. Please note, that no image was uploaded because of the missing information!"

In the General info I get this:

"Image Directory: ERROR - Images folder not writable!
You must set correct permissions on this folder or you will not be able to upload any images.
Set the folder to chmod 777 (read, write and execute permissions for owner, group and world). Current CHMOD: 0755"

But if I set it back to 777 I'll get suspended again I guess...

How about the Thumbnails folder? Does that have to be 755?

Thanks in advance!

Calin

Both folders have to have sufficient rights to write in. If your hosting company messed up so you have to open the folder to 777 then talk to them about it.

If you use 1.6 you can always look at my FTP_security addon.

Try setting the image and thumbnail folder permissions to 775 and see if you can upload an image.

Yes, both the thumbnail and image folders have to have the same permissions level.

Dear schonhose,

Where do I find the addon?

Thanks

look at my sig. You find a nice link there.

Make sure you set all the options in the options page. This should be the ftp info for your blog. Pay special attention to the folder option.

schonhose you basically rock!!!

I'm overwhelmed by the level of support from all of you guys.

Thanks a million!


So here's my fixed pblog:

http://www.colinut.com

Schonhose -

Does this addon support SFTP as well? The webhost where my photoblog is does not allow regular FTP, only SFTP.

Thanks in advance!

what is the difference between SFTP and FTP?

SFTP stands for SSH File Transfer Protocol. You can read more about it at Wikipedia (http://en.wikipedia.org/wiki/SSH_file_transfer_protocol).

Basically, SFTP encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network.

FTP sends everything, including passwords, without any encryption at all.

I did a quick search and could not come up with a general way to incorporate SFTP in the addon.

That's okay. I just tried an experiment on this install - set the permissions on images and thumbnails to 775, and I was able to upload an image with no problems. Looks like I won't need the addon to support SFTP after all.

Thanks! :)

Dennis - you can use cURL lib to support SFTP in your addon.