On Fri, Mar 11, 2011 at 7:18 PM, Remigiusz Modrzejewski <l...@maxnet.org.pl>wrote:
> Ok, this seems to be pretty bad news. Are you sure that he couldn't just > push them? > i hope my correction alleviates this concern a bit. It seems to have been done using the anonymous account, which inherited reader's access which had (for some reason) wiki-write access. That's my current working hypothesis, anyway. i WISH i had had the foresight to make a copy for later analysis before i changed any settings, but i didn't. In the mean time i've removed some access rights, disabled the captcha (which is probably not really necessary with the wiki/ticket access rights removed), and recovered the spammed wiki pages, but i still have many dozens of bogus tickets i'd like to get rid of. The spamming stopped at the time i changed the access rights, but has been running regularly since Feb 2, at irregular intervals at all times of day/night. Here is a particularly interesting timeline entry: 2011-02-25 ... 21:29 Changes to wiki page HowTo (user: ) 07:51 Deleted wiki page download (user: anonymous) the page deletion specifically marked the anonymous user's name but (...wait a minute... i didn't know we could delete pages?) but all of the other wiki/ticket entries show a blank user name. i don't have any concrete info on how it was done, but if i find anything which might help other users protect their sites i'll post it. So far removing the ticket/wiki permissions from anonymous seem to have solved the problem. There was a spam a few minutes before i did that but there hasn't been once since. None of my other repos appear to have been hit and no code was committed via this crack. -- ----- stephan beal http://wanderinghorse.net/home/stephan/
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
