Thread

[ I have omitted our <domain> but can send it in a PM ]
Our site is running the latest EE 1.7.0 Quite a long time ago the site was hacked. 
I don’t know if the current problem has anything to do with that, but Google AdWords
said that “Ads are not displaying because the page appears to contain malicious code”.
Looking at the page source for the top page of the site, I could see comments like

<!--
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
         xmlns:trackback="http://madskills.com/public/xml/rss/module ... /trackback/"
         xmlns:dc="http://purl.org/dc/elements/1.1/">
<rdf:Description
    rdf:about="<domain>/index.php/site/comments/74/"
    trackback:ping="<domain>/index.php/trackback/74/"

This code was not in either the template or the weblog data.

I turned off comments and trackbacks for all our weblogs, and the above disappeared.

We are using a differently-named group (not “site”) as our default, but I am horrified to find
that the original default “site” group top page is displaying at <domain>/index.php/site/.
What is horrifying is that this “site” template displays a link to a <domain>index.php/member/login/
member login page, with a message that “This page is only accessible to logged-in users
with proper access privileges” (which is obviously not true here)—and displaying
a log-in page to anyone who may pass by encourages hackers to try to log in.
Of course I can delete the original (sample) “site”-group templates that came with EE,
but surely they should not be displaying?
Surely <domain>index.php/member/login/ should not be displaying by default either?
These look like security holes. Is this the default behavior, and—if so—can it
easily be disabled (other than by deleting the original default templates)?

This code was not in either the template or the weblog data.

Try adding

rdf="off"

to your weblog:entries tag. It’s no reason for concern.

... I am horrified to find that the original default “site” group top page is displaying at <domain>/index.php/site/.

Well, is it still there? Delete it if you don’t need it (or set access permissions accordingly).

Of course I can delete the original (sample) “site”-group templates that came with EE, but surely they should not be displaying?

If it’s there, surely it should? How is EE supposed to know which template groups to display, and which ones not?

Surely <domain>index.php/member/login/ should not be displaying by default either?

If you’re concerned about this consider changing the “member” trigger word.

How is EE supposed to know which template groups to display, and which ones not?

I see that someone has already put in a feature request for setting template access default to “No”.

Surely <domain>index.php/member/login/ should not be displaying by default either?

If you’re concerned about this consider changing the “member” trigger word.

If member preferences are set to “(only) manual activation by an administrator” then surely
a membership registration (signup) screen should not be displayed regardless of the trigger word.
It would also be desirable if the member login form could be either disabled or set to
trigger an unauthorized access redirect—ideally this would be the initial default.
Displaying a login or registration form is an invitation to hackers to try to break in by brute force.
Maybe I should put in a feature request for this?

Hi KeithW,

Member registration is off by default in EE 2.x and as Ingmar says you can just turn it off if you don’t need it. You are welcome to submit a Feature Request if you feel that’s appropriate.

Cheers

Greg

Thanks.  Added feature request.

Sounds good. Don’t hesitate to post again as needed.