Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. General Support
  4. unauthorized access to evocache and media

unauthorized access to evocache and media

1 Apr 30, 2022 11:04    

Hello,

since few weeks I detect unauthorized access directly to media folder and evocache folder in blogs.
In the analytics it looks like this (see fig. below).
B2e Analytic shows a link that does not work although HTTP response shows 200. (It can't work because it calls eg. https://www.genba.org/media/blogs/linz/quick-uploads/hundefreilaufflaeche-wasserwald-linz/_evocache/kleiner_wasserwald_180718-01_2_.jpg/fit-1280x720.jpg?mtime=1628104035 instead of https://linz.genba.org/media/blogs/linz/quick-uploads/hundefreilaufflaeche-wasserwald-linz/_evocache/kleiner_wasserwald_180718-01_2_.jpg/fit-1280x720.jpg?mtime=1628104035 because the file is connected to a subdomain.

I have denied access by .htaccess for several IP ranges (0/16), most of them located on Microsoft or Amazon Servers. The abuse aims to media, not to pages. The IP only touch those files.

My questions: how can I block direct access to media folder without having called media by a page first? (in htaccess I denied access to media folder, but that does not bock those abuse.)
How is it to understand, that a link that leads to a 404 Error Page is qualified by b2e analytic with HTTP Response 200?
Does anyone mention similar abuse?

Thanks in advance, Will

unauthorized access to evocache and media
fig 1
Back to top

3 Apr 30, 2022 13:04

Hi I won't be looking at this probably given a) alternative work I want to do and b) I don't record any 'analytics' so it would be a 'big' issue for me :)

Back to top

4 Apr 30, 2022 13:19

@amoun thanks, I understand that you prioritize other work.

nevertheless, for the case... to concretize my concern: It is not about analytics. It is about a direct abusive access to the system, thus about a security problem.

Anyway, have a nice weekend and thanks for holding the fort here on b2e's forum.

BTW - there is a new version of b2e that @fplanque posted in March ("b2evolution version 7.2.4-stable-2022-03-26 is now available."). However, it can only be installed via the upgrade routine, as it is apparently not yet available for download.
I hope that there will be a future for b2e after all.

Back to top

6 Apr 30, 2022 16:38

@amoun
the problem is the so called Image-Hotlinking. So third parties can link to directly to files and download them, probably also files from private collections.
I tried this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?iyourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?iyourwebsite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/g7ptdBB.png [NC,R,L]

But this causes in some cases images are affected even with legal access. So that's not an appropriate block.

I block thousands of IP addresses by IP Range blocking. But this way I do have to have an eye on the logs.

BTW. The Analytic is a core feature of b2e, so I presume that you can access it, too.
https://www.yourwebsite.org/blogs/evoadm.php?ctrl=stats&tab=summary&tab3=global&blog=0

Greetings, Will

PS: The demo access to b2e http://demo2.b2evolution.net/stable/admin.php is offline (404)

PPS: Have you autoupgraded to 7.2.4?

Back to top

7 Apr 30, 2022 17:47

  • I have 7.24
  • Confirm there's no demo presently
  • Re analytics. I don't record hits etc so nothing to view.

With the imaging.

My sites are much simpler than yours and are really just personal sites so there isn't much to manage.

I'm not sure how you are hot-linking but if another site wants to show your images, insitu, rather than just access the file, then presumably they will have to access your site as a non member.

Slowly trying to get my head into what you are doing. I should give up whilst the sun is shining ~ speak later.

Back to top


Form is loading...