Support Forum

Advanced Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
general-topic
Emergency!
Avatar
Tal
Member
Free Members
sp_UserOfflineSmall Offline
May 4, 2012 - 9:53 am

Ok... I just got a PM from one of my members saying they'd had trouble logging in with their password being rejected, they shut down their browser, cleared cache, came back, logged in successfully but could see ALL of the forums, including those only members of specific groups should see, I checked and even when LOGGED OUT guests can see ALL of our private forums! 

I haven't changed anything, no new plugins, nothing different on the forums.. I've had to disable the forums completely because I can't risk members of the public seeing the private forums we have set up.

Help! 

I can't even check settings or anything because I've had to deactivate the plugin.

Avatar
Tal
Member
Free Members
sp_UserOfflineSmall Offline
May 4, 2012 - 10:30 am

Looks like my host upgraded my theme framework (Genesis) without my permission, I'm guessing that's what's triggered this problem.

Avatar
Mr Papa
Simi Valley, CA
SP Master
Free Members
sp_UserOfflineSmall Offline
May 4, 2012 - 11:40 am

odd. not sure what the interaction there would be...  let us know what you find...

Avatar
Tal
Member
Free Members
sp_UserOfflineSmall Offline
May 4, 2012 - 11:48 am

Host said nothing about the Genesis update should have caused a problem

There should be no correlation between these as the updated file had a single line that was improperly escaped. The addition of the "escaping" is simply a cleansing feature IF someone were to inject something bad. It would not impact current functionality especially if you were already on 1.8.

Avatar
Tal
Member
Free Members
sp_UserOfflineSmall Offline
May 4, 2012 - 2:37 pm

Quick update on the issue, I had my server roll back the Genesis update, I reinstalled the forums, made sure all the permissions were working as normal, then I updated Genesis theme framework and all is good.. so I have NO Idea what happened but it sure was scary to have all the private sections on my forum suddenly available to the public so if you have any idea whatsoever what could have possibly 'caused this to happen please do let me know!

Avatar
Mr Papa
Simi Valley, CA
SP Master
Free Members
sp_UserOfflineSmall Offline
May 4, 2012 - 4:02 pm

no clue really...  never had anything happen like that...  assume you had checked the permissions?

reinstalled the forum??  that would lose your data... do you just mean you reactivated it?

to be safe, I would run a check of your server and make sure it hasnt been hacked...

Avatar
Tal
Member
Free Members
sp_UserOfflineSmall Offline
May 4, 2012 - 9:52 pm

Yeah, I had checked the permissions, they hadn't changed

I mean reloaded all the forum files

No signs whatsoever of the forums having been hacked, and my hosts security settings are overly strict so it's unlikely anything has slipped by us.

It's all still working fine so ... *shrugs*

Avatar
Yellow Swordfish
Glinton, England
SP Master
sp_UserOfflineSmall Offline
May 5, 2012 - 4:12 am

One thing I would say is that during any updating process - be it theme, plugins or whatever - there is always a small window of instability where the likelihood that code will break is extremely high. Someone accessing a site that has half an update applied and is in the process of applying the other half could lead to issues. I am a firm believer in the use of plugins like 'Maintenance Mode' to restrict access during any update. And SP itself, as you will know, will not load itself when an update is in progress.

andy-signature.png
YELLOW
SWORDFISH
Avatar
FidoSysop
Clearwater Florida
Member

VIP
sp_UserOfflineSmall Offline
May 5, 2012 - 6:34 pm

For security sake, be sure your wp-config.php permissions are set at 400. Read only for the owner.

If someone can read your config file they might gain access to your database. cry

Also be sure your db log in and pw are not the same as your admin log in. wink

  • Doc ~ An old Fidonet SysOp. Just hanging out in cyberspace keeping up with tech.
Avatar
Tal
Member
Free Members
sp_UserOfflineSmall Offline
May 5, 2012 - 6:40 pm

Double checked wp-config just to be sure, it's all good LOL

Would ANYONE use the same login details for their DB as for WP? really? LOL

Forum Timezone: Europe/Stockholm
Most Users Ever Online: 1170
Currently Online:
Guest(s) 1
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Mr Papa: 19448
Ike: 2086
Brandon: 864
kvr28: 804
jim: 650
FidoSysop: 577
Conrad_Farlow: 531
fiddlerman: 358
Stefano Prete: 325
Member Stats:
Guest Posters: 620
Members: 17365
Moderators: 0
Admins: 4
Forum Stats:
Groups: 7
Forums: 17
Topics: 10128
Posts: 79626