When we recieved this e-mail, we knew you would want to read about it:
Recently it has come to my attention that there are some serious security issues with the default RSS to Blog installations.
In my manual I recommend that everyone name the folder RSS2B3. This common folder name is part of
the security issue.When your RSS to Blog installation becomes indexed in the search engines it is very easy to find and hack into it even without the password.
One of my customers pointed out to me exactly what hackers are doing when they find RSS to Blog folders. He made a very interesting set of videos that shows step by step how this happens and how to protect yourself.
Here is what I learned by watching his videos …
Anyone who finds your RSS to Blog folder can simply look at the ’settings.php’ file or the ’settings’ folder from the browser and see all of your blog settings.
If you go to your installation right now and type in http://domain.com/RSS2B3/settings.php
Or http://rsstoblog.com/RSS2B3/settings/
You will see all of your blog settings, URLs and even passwords. Anyone who can see that file can use that info to log into all of your blogs and do what ever they want. That possibility makes it very important that you update and add the .htaccess file to your folders immediately.
There is a simple way to prevent this. And I am going to explain how.
The first step is to make sure your RSS to Blog folder does not get indexed. Dont link to your installation from forums, or any where public.
If you have the RSS to Blog installation on a domain that does not have a frontpage this is a problem. You should always add an index page to every domain. Even if you are only using the domain to host the software. It is not very uncommon for a domain to get indexed even if you never submitted the domain to the search engines. If you do not have a index page on that domain, then every folder on that domain is visible to the world.
The next step is to make your installation harder to find. Name your RSS to Blog folder something other than RSS2B3 or RSS2B or RSS.
You can rename your folder at anytime, it will not effect your files, but you will need to change the path in your cron jobs if you choose to rename the folder.
The next step is to use something called an .htaccess file on your server. In this file you can add code that will block people from seeing your settings.php file or the contents of your folders.
I am including a link to a small update that includes the .htaccess file you need for your installations Download and install it today.
If you need help further understanding anything I wrote here The customer who told me about this (Eric Grigsby) actually created a set of videos that I thought were very good. It explains exactly how the security flaw was discovered and how to install the .htaccess file to your folder and test it.
If you need you can watch Eric’s great videos
If you purchased RSS to Blog in the last few days the security patch has already been put in the package for you. So you do not need to update.
Everyone else should update immediately.
Michelle Timothy
I like that Michelle is proactive on the security front. It gives me a little more confidence in the product, RSS to Blog.
4 Responses to “RSS to Blog Security Hole AND Fix”
[…] Til at starte med er det pÃ¥ sin plads at sige at fejlen blev meddelt af firmaet selv, bag RSS2BLOG til deres kunder og der blev med det samme udgivet en opdatering der fjernede det tidligere hul. Det mÃ¥ man trods alt tage hatten af for. Du kan se emailen pÃ¥ SEOBlackHat.com […]
This really blew me away… not that the “flaw” existed, but that it was an issue for anyone! Since my very first installation of RSS2B, I have always named the root folder something else. Maybe it’s just my dislike for defaults, I dunno… but I always call every installation something unique. I figured everyone probably would do the same thing, if for no other reason than the fact that it is in ALL CAPS is extremely annoying! 
The truth is, this is nothing specific to RSS2Blog. Just about every PHP based program on the market works in this way (as far as having unprotected directories/files), but most of them are not as popular as RSS2Blog so not everyone knows about or is looking for them. But I have many times found it very easy to swipe keywords, niche information, passwords, and all sorts of other goodies from people’s sites. In some cases, you can even actually swipe their PHP scripts themselves, if you know a little PHP yourself! This is not genius-level hacking we’re talking about here… this is really basic stuff that nearly anyone can do with barely any knowledge.
Bottom line in my opinion… NEVER leave things at defaults, ALWAYS custom tweak things, and ALWAYS make sure your directories are not open to the world, by at LEAST placing a blank file called “index.html” in any directory that does not already contain an index file of some sort.
“The Macro King”
www.macroking.com (being moved, may be down for a bit…)
Macroking has got it right on every account. I also picked up on the fact *all* directories/folders should have an index.html file. More than once I’ve popped into someone’s private directory (by accident of course) and found some juicy files and pictures.
That advice is also applicable to RSS2Blog because it ‘loads’ with an index.php file, so an index.html will load first if someone takes a stab at your RSS2Blog folder… and in fact, you could then rename your index.php to something else too.
All that, along with not using the default or suggested root folder, should protect the integrity of the software a little better than not.
Awesome blog, btw. Learn a lot from it!
Great info! Thanks
I just wanted to point out that there is on serious error in the videos. He claims that by using the robots.txt file you can somehow “force” the engines not to index specific pages or folders. NOT true! Robots.txt only prevent engines (if they respect it!) from crawling pages and directories but NOT from indexing them. There is a really important difference. Most of the major engines will index pages or directories based on links only, toolbars or other sources. So even if you have a proper robots.txt in place you could still end up with your RSS2Blog directory indexed.
The only secure solution is to issue a 403 to all spiders!