v1.3 Security hole - deleting \Pages subdir altogether?

Topics: Developer Forum
Aug 27, 2010 at 7:05 PM
Edited Aug 27, 2010 at 7:05 PM

One of our volunteer nonprofit websites is having the \Pages subfolder deleted repeatedly.  Anyone else experience this?  We suspect an ex-employee of the org that was laid off, but I can't figure out how they could delete an entire app_data subfolder? Asp.Net 3.5 with v1.3.0

Aug 28, 2010 at 4:09 AM

You will need to open the site in VS and do a find all search on all files for 'Directory.Delete(' but of course there is many ways to Delete a directory so without knowing the method that was used then perhaps you could check the Global file otherwise I would delete the entire site except for the App_Data folder then updating the site with fresh code.

They could even be doing this via FTP or another means of Remote Access to the server, Even a script that is installed on a server so you could be chasing this for a while.

Aug 30, 2010 at 1:28 AM

Thanks SpiderMaster -

I've tried several adjustments so far.

The one that 'seems' to be working is switching html editing back to fckeditor (but keeping ftb for the rest) and setting ftb delete file, create directory and delete directory settings to "false".  We'll see if it ends up a permanent fix..

Sep 4, 2010 at 10:46 PM

Traced the defacing to 91.205.155.246 (Some world phone service in Israel) - FreeTextBox definitely needs some adjusting.  Here's an example of a url that allowed them to bypass all authentication to both change pictures and also delete App_Data subdirectories:

<domain name>/ftb.imagegallery.aspx?rif=/App_Data/UserImages/Image&cif=/App_Data/UserImages/Image&ftb=ctl00_mainContent_ctl02_txtHtml_ftbEditor

Anyway, I've got the website back on FCKEditor with no more problems so far.. you might try using the url above to check your own v1.3.x website for vulnerability. (All our other sites are running on v1.2.x)