Originally Posted by satchel
Anyone have any ideas on how to stop this?
Is the problem that a trojan can pick up the FTP login info, off of any owner's machine, when he exports?
I mentioned this previously, but Since OOTP shares the ftp login for both web exports and owner exports, this puts your websites at risk. This means that all it takes is for someone to have OOTP and your league file and they can find your ftp password to upload pages to your website (and thus hack your site).
The way I get around this is a pain in the butt, however since OOTP doesn't do anything to protect against this (my suggestion to the developers was to allow a seperate ftp account in the ootp configuration for webpage uploads and a different account for owner exports), you have to do it manually.
This is what I do:
I have two ftp logon accounts on my server.
1) account is for owner exports. This is input into your OOTP online configuration in the file that you upload. It ONLY has rights to read and write to the exports folder on your ftp sever.
2) account for web reports. You do not put this into OOTP anywhere. It has the rights to the rest of the webserver file structure.
When you upload files for other owners in the league , you have account #1 configured in OOTP. When you upload webpages to your server, you do it outside of OOTP and don't use OOTP for that. An alternate is that you can still use OOTP to do so, but you have to manually change the account settings back and forth in OOTP which is a pain.
If this is confusing, I would be happy to help explain it further, just drop me a pM. Ideally I think this is something that should be fixed in OOTP, but was told that was not going to be done, so a manual work around from commishes is the only other solution.
Let me know if you have questions, I am happy to help.