Is the cache system secure?

Hi all,

I have been having some nasties inject code into what seems to be via the cache_public route. Every time it happened I would clear the cache, site would be back up, until they did it again and redirected everyone to a scam 'check your pc' link. I rained on their parade and disabled the whole cache system and it has stopped completely. 

Has anyone else had this happen?

They are not getting in through admin or cpanel or via my own pc.

Shouldn't there be a .htaccess file in the cache_public to stop open access to the files created there?

There is suppose to be a .htaccess file in the cache folder. If it's not there, create it. Contents should be.

Deny from all

.htaccess with "Deny from all" will bring in display issues. The site will not display correctly.

Here is the solution.

goto admin panel -> settings -> advanced settings -> templates.

Disable caching for js, css and html.

Then add a .htaccess with 'deny from all" in the cache_public.

Hi Deano and Prav,

Thanks very much for your activity on these forums and responses to some 'silly' questions some of us may ask. Much appreciated.

After writing this post I did some scrounging around the site files and have found that scam code also injected into the modules/boonex/forum/ layout/base_en and any other template language folders, in the actual .htaccess files. Weird huh? Maybe they could upload their own .htaccess because of the folders being 777 in **/forum/layout? 

Hopefully my mentioning this, can add to more site security.

1. Should a .htaccess 'deny from all' also be in **forum/layout? Maybe that will affect site display too.

2. What permissions should there be for all the folders and files in **/forum/layout - 755 and 644? Mine show as 777 and 666 after being created by the site when compiling. Do your sites create these files with 777 and 666 permissions also?

Prav, I did stop all the caching, which stopped their ability to redirect. I will place a .htaccess in there. Thanks :-)