Fixed a simple security hole in , uncovered unintentionally by an attack mounted ≈5hrs ago — intent appeared to be to create new user accounts, unintended result was the creation of a new, empty article.

Hundreds of requests were made against URLs similar to these:

  • /articles/do.php
  • /articles/modules.php?app=user_reg
  • /articles/index.php?app=home&mod=public&act=register
  • /action/sign_up
  • /articles/sign_up.html
  • /articles/?page=login&cmd=register
  • /articles/tiki-register.php
  • /articles/index.php?page=register&action=register
  • /index.php?page=item&action=item_add
  • /articles/index.php?user/create_form/
  • /articles/join.php
  • /articles/index.php?dll=register
  • /articles/index.php?option=com_community&view=register
  • /articles/register.php
  • /articles/signup.php

Presumably these URLs are compromised on other systems — needless to say they are far too ugly to exist in ! I’m unsure exactly why /articles was used as the base URL for the attack in all cases apart from two.

As these URLs don’t exist, and will never exist, it should be safe enough to add server- or application-level filters immediately closing any requests which include them.

updated: