1. Fabrik 3.9 has been released. If you have updated Joomla to 3.9, this is a required update.
    Dismiss Notice

Create index.html under /httpdocs - message "Nothing to see here. Move along."

Discussion in 'Fabrik 3.x Testing' started by lunto, May 8, 2012.

  1. lunto

    lunto New Member

    Level: Community
    Hi,

    I am new to Fabrik and I notic that Fabrik somehow ceated index.html file under /httpdocs with a message "Nothing to see here. Move along." Anyone able to help and fix the issue?

    regards
     
  2. troester

    troester Well-Known Member Staff Member

    Level: Community
    This index.html is created by the fileupload element in the folder you've defined for storing the files.
    As far as I know there's a more informative text if you are running a recent GitHub update.
    So delete this file in your Joomla root (e.g. via FTP access) and set a correct upload path in your fileupload element.
     
  3. rob

    rob Administrator Staff Member

    Level: Community
    yup basically ensure that your fileupload element is not uploading to your site's root but to a sub folder of your site. the element will create the folders for you if they don't exist.

    Hugh do you think we should be testing and creating the index.html if they are uploading to root? That could take peoples sites offline if .html takes precedence over .php
    Or perhpas we should not allow the element to be saved without entering an upload path?
     
  4. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Community
    This exact situation arose a few weeks ago. I was in a hurry then, so what I did was add some more verbiage to the index.html (well, to our language token):

    PLG_ELEMENT_FILEUPLOAD_INDEX_FILE_CONTENT="Nothing to see here. Move along. This file was created by Fabrik. If it is appearing in an unexpected location, the site admin should check the configuration of any file upload elements on Fabrik forms, to ensure that an upload path has been set correctly."

    But yeah, best solution would be to force specifying a path (that isn't just a /).

    -- hugh
     
  5. lunto

    lunto New Member

    Level: Community
    Hi Guys,

    Thanks it is working now.

    One more question, what if I want to upload all files under /httpdocs/images/fabrik? should I just put /images/fabrik or /httpdocs/images/fabrik ?

    regards
     
  6. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Community
    We prepend the J! folder root to any location you specify (which is why they land in your J! root if you don't specify anything). So you should specify locations relative to the J! root. So images/fabrik would be the correct path.

    -- hugh
     
  7. lunto

    lunto New Member

    Level: Community
    Got it and fixed. Thanks.
     
  8. madpad

    madpad Member

    Level: Community
    I was working on a file upload element last night, and it automatically saved the file to the root dir. Only after I got this error message "Nothing to see here. Move along." I noticed this forum chain.

    Now, I have removed the lists, forms and elements associated with this file upload element. Am able to login backend, but front end continues to display the same error message, and site is down.

    Is there anything else that is missing?
    madpad
     
  9. Raindog

    Raindog New Member

    Level: Community
    madpad
    You need to delete index.html from Joomla root directory.
     
  10. iamwe

    iamwe New Member

    Level: Community
    The index file just appeared on the front page of my site today. I have deleted the file, but when i view all elements with file upload the directory is set :: /images/stories/products
    and the plugin gives no option to set a default directory -- so why did this happened, is there a fix? Your comp should not change my homepage --Urrrr -- very upset.
     
  11. troester

    troester Well-Known Member Staff Member

    Level: Community
    It seems you are running outdated Fabrik and Joomla versions with security holes.

    If you don't have a fileupload element with a wrong setup and this index file appeared suddenly then your site is hacked.
     
  12. p38

    p38 Member

    Level: Community
    I can confirm this..... a few of my sites with older Fabrik 3.7 and J3.65 and older have been hacked recently with bogus files.

    They used the fabrik upload element to deposit files in the root, luckily Fabrik places this index.html with message in the root, so at least your hacked site does not show the hacked content.

    It seems word got out around the 14th Dec you can hack a fabrik site if older fabrik versions are running.
     
  13. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Community
    The word got out a lot longer ago than that - we found the first hacks shortly before the 3.7 release, and it was one of the primary reasons for releasing 3.7 when we did. But in early December, a script-kiddie hack found its way into several popular 4chan and related sites.

    It's frustrating, as there's nothing I can do to prevent it or force updates on sites running old code. And, in retrospect, it was a dumb piece of coding that allowed the hack, and I should have noticed the potential for it a long time ago. But ... the vulnerability had been there from the first day we introduced AJAX uploading, and literally every Fabrik site ever installed since about version 2.3 was vulnerable. It just took about 6 years for someone to find it.

    However, I try not to beat myself up about it too hard. Software has security holes. It's a part of life. I'm 100% sure there are other holes lurking in Fabrik, and Joomla itself, and every other non-trivial extension that allows any kind of state change on the server side. Likewise, in the OS the site runs on, the web servers that serve the sites, the browsers and mobile devices that access the site, etc etc.

    Which is why it's the admin's responsibility to keep sites updated. Which is a pain, but just part of life as a web site admin. So when someone running 3 year old Fabrik and Joomla gets hacked, I have to remind myself that's just part of life's rich tapestry, and they should have updated.

    -- hugh
     
  14. p38

    p38 Member

    Level: Community
    Thanks Hugh, not in the least your fault at all.

    In fact, this is the first Fabrik hack I have encountered in almost 10 years and over a 100 sites I have built using Fabrik, and the fault was entirely mine, I was not diligent enough to keep Fabrik up to date.

    So I think all in all, Fabrik is one of the more secure components out there.

    Paul
     
    cheesegrits likes this.
  15. iamwe

    iamwe New Member

    Level: Community
    I updated the fabrik component and plugins and I am still receiving the message.
     
  16. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Community
    Did you delete the bogus index.html from the root folder of your site?

    -- hugh
     

Share This Page