RSS Security Hole

03月 21, 2008

When we recieved this e-mail, we knew you would want to read about it:

Recently it has come to my attention that there are some serious security issues with the default RSS to Blog installations.

In my manual I recommend that everyone name the folder RSS2B3. This common folder name is part of
the security issue.

When your RSS to Blog installation becomes indexed in the search engines it is very easy to find and hack into it even without the password.

One of my customers pointed out to me exactly what hackers are doing when they find RSS to Blog folders. He made a very interesting set of videos that shows step by step how this happens and how to protect yourself.

Here is what I learned by watching his videos …

Anyone who finds your RSS to Blog folder can simply look at the ’settings.php’ file or the ’settings’ folder from the browser and see all of your blog settings.

If you go to your installation right now and type in http://domain.com/RSS2B3/settings.php

Or http://rsstoblog.com/RSS2B3/settings/

You will see all of your blog settings, URLs and even passwords. Anyone who can see that file can use that info to log into all of your blogs and do what ever they want. That possibility makes it very important that you update and add the .htaccess file to your folders immediately.

There is a simple way to prevent this. And I am going to explain how.

The first step is to make sure your RSS to Blog folder does not get indexed. Dont link to your installation from forums, or any where public.

If you have the RSS to Blog installation on a domain that does not have a frontpage this is a problem. You should always add an index page to every domain. Even if you are only using the domain to host the software. It is not very uncommon for a domain to get indexed even if you never submitted the domain to the search engines. If you do not have a index page on that domain, then every folder on that domain is visible to the world.

The next step is to make your installation harder to find. Name your RSS to Blog folder something other than RSS2B3 or RSS2B or RSS.

You can rename your folder at anytime, it will not effect your files, but you will need to change the path in your cron jobs if you choose to rename the folder.

The next step is to use something called an .htaccess file on your server. In this file you can add code that will block people from seeing your settings.php file or the contents of your folders.

I am including a link to a small update that includes the .htaccess file you need for your installations Download and install it today.

If you need help further understanding anything I wrote here The customer who told me about this (Eric Grigsby) actually created a set of videos that I thought were very good. It explains exactly how the security flaw was discovered and how to install the .htaccess file to your folder and test it.

If you need you can watch Eric’s great videos

If you purchased RSS to Blog in the last few days the security patch has already been put in the package for you. So you do not need to update.

Everyone else should update immediately.

Michelle Timothy