-
Hello Fabrik Community
Fabrik is now in the hands of the development team that brought you Fabrik for Joomla 4. We have recently transitioned the Fabrik site over to a new server and are busy trying to clean it up. We have upgraded the site to Joomla 4 and are running the latest version of Fabrik 4. We have also upgraded the Xenforo forum software to the latest version. Many of the widgets you might have been used to on the forum are no longer operational, many abandoned by the developers. We hope to bring back some of the important ones as we have time.
Exciting times to be sure.
The Fabrik 4.0 Official release is now available. In addition, the Fabrik codebase is now available in a public repository. See the notices about these in the announcements section
We wish to shout out a very big Thank You to all of you who have made donations. They have really helped. But we can always use more...wink..wink..
Also a big Thank You to those of you who have been assisting others in the forum. This takes a very big burden off of us as we work on bugs, the website and the future of Fabrik.
Create index.html under /httpdocs - message "Nothing to see here. Move along."
- Thread starter lunto
- Start date
This index.html is created by the fileupload element in the folder you've defined for storing the files.
As far as I know there's a more informative text if you are running a recent GitHub update.
So delete this file in your Joomla root (e.g. via FTP access) and set a correct upload path in your fileupload element.
As far as I know there's a more informative text if you are running a recent GitHub update.
So delete this file in your Joomla root (e.g. via FTP access) and set a correct upload path in your fileupload element.
rob
Administrator
yup basically ensure that your fileupload element is not uploading to your site's root but to a sub folder of your site. the element will create the folders for you if they don't exist.
Hugh do you think we should be testing and creating the index.html if they are uploading to root? That could take peoples sites offline if .html takes precedence over .php
Or perhpas we should not allow the element to be saved without entering an upload path?
Hugh do you think we should be testing and creating the index.html if they are uploading to root? That could take peoples sites offline if .html takes precedence over .php
Or perhpas we should not allow the element to be saved without entering an upload path?
cheesegrits
Support Gopher
This exact situation arose a few weeks ago. I was in a hurry then, so what I did was add some more verbiage to the index.html (well, to our language token):
PLG_ELEMENT_FILEUPLOAD_INDEX_FILE_CONTENT="Nothing to see here. Move along. This file was created by Fabrik. If it is appearing in an unexpected location, the site admin should check the configuration of any file upload elements on Fabrik forms, to ensure that an upload path has been set correctly."
But yeah, best solution would be to force specifying a path (that isn't just a /).
-- hugh
PLG_ELEMENT_FILEUPLOAD_INDEX_FILE_CONTENT="Nothing to see here. Move along. This file was created by Fabrik. If it is appearing in an unexpected location, the site admin should check the configuration of any file upload elements on Fabrik forms, to ensure that an upload path has been set correctly."
But yeah, best solution would be to force specifying a path (that isn't just a /).
-- hugh
cheesegrits
Support Gopher
We prepend the J! folder root to any location you specify (which is why they land in your J! root if you don't specify anything). So you should specify locations relative to the J! root. So images/fabrik would be the correct path.
-- hugh
-- hugh
I was working on a file upload element last night, and it automatically saved the file to the root dir. Only after I got this error message "Nothing to see here. Move along." I noticed this forum chain.
Now, I have removed the lists, forms and elements associated with this file upload element. Am able to login backend, but front end continues to display the same error message, and site is down.
Is there anything else that is missing?
madpad
Now, I have removed the lists, forms and elements associated with this file upload element. Am able to login backend, but front end continues to display the same error message, and site is down.
Is there anything else that is missing?
madpad
The index file just appeared on the front page of my site today. I have deleted the file, but when i view all elements with file upload the directory is set :: /images/stories/products
and the plugin gives no option to set a default directory -- so why did this happened, is there a fix? Your comp should not change my homepage --Urrrr -- very upset.
and the plugin gives no option to set a default directory -- so why did this happened, is there a fix? Your comp should not change my homepage --Urrrr -- very upset.
p38
Active Member
I can confirm this..... a few of my sites with older Fabrik 3.7 and J3.65 and older have been hacked recently with bogus files.
They used the fabrik upload element to deposit files in the root, luckily Fabrik places this index.html with message in the root, so at least your hacked site does not show the hacked content.
It seems word got out around the 14th Dec you can hack a fabrik site if older fabrik versions are running.
They used the fabrik upload element to deposit files in the root, luckily Fabrik places this index.html with message in the root, so at least your hacked site does not show the hacked content.
It seems word got out around the 14th Dec you can hack a fabrik site if older fabrik versions are running.
cheesegrits
Support Gopher
The word got out a lot longer ago than that - we found the first hacks shortly before the 3.7 release, and it was one of the primary reasons for releasing 3.7 when we did. But in early December, a script-kiddie hack found its way into several popular 4chan and related sites.
It's frustrating, as there's nothing I can do to prevent it or force updates on sites running old code. And, in retrospect, it was a dumb piece of coding that allowed the hack, and I should have noticed the potential for it a long time ago. But ... the vulnerability had been there from the first day we introduced AJAX uploading, and literally every Fabrik site ever installed since about version 2.3 was vulnerable. It just took about 6 years for someone to find it.
However, I try not to beat myself up about it too hard. Software has security holes. It's a part of life. I'm 100% sure there are other holes lurking in Fabrik, and Joomla itself, and every other non-trivial extension that allows any kind of state change on the server side. Likewise, in the OS the site runs on, the web servers that serve the sites, the browsers and mobile devices that access the site, etc etc.
Which is why it's the admin's responsibility to keep sites updated. Which is a pain, but just part of life as a web site admin. So when someone running 3 year old Fabrik and Joomla gets hacked, I have to remind myself that's just part of life's rich tapestry, and they should have updated.
-- hugh
It's frustrating, as there's nothing I can do to prevent it or force updates on sites running old code. And, in retrospect, it was a dumb piece of coding that allowed the hack, and I should have noticed the potential for it a long time ago. But ... the vulnerability had been there from the first day we introduced AJAX uploading, and literally every Fabrik site ever installed since about version 2.3 was vulnerable. It just took about 6 years for someone to find it.
However, I try not to beat myself up about it too hard. Software has security holes. It's a part of life. I'm 100% sure there are other holes lurking in Fabrik, and Joomla itself, and every other non-trivial extension that allows any kind of state change on the server side. Likewise, in the OS the site runs on, the web servers that serve the sites, the browsers and mobile devices that access the site, etc etc.
Which is why it's the admin's responsibility to keep sites updated. Which is a pain, but just part of life as a web site admin. So when someone running 3 year old Fabrik and Joomla gets hacked, I have to remind myself that's just part of life's rich tapestry, and they should have updated.
-- hugh
p38
Active Member
Thanks Hugh, not in the least your fault at all.
In fact, this is the first Fabrik hack I have encountered in almost 10 years and over a 100 sites I have built using Fabrik, and the fault was entirely mine, I was not diligent enough to keep Fabrik up to date.
So I think all in all, Fabrik is one of the more secure components out there.
Paul
In fact, this is the first Fabrik hack I have encountered in almost 10 years and over a 100 sites I have built using Fabrik, and the fault was entirely mine, I was not diligent enough to keep Fabrik up to date.
So I think all in all, Fabrik is one of the more secure components out there.
Paul
cheesegrits
Support Gopher
Did you delete the bogus index.html from the root folder of your site?
-- hugh
-- hugh