Error 403 and not optimistic security info.

[Cyc]

Hello, I trusted CMSMS script and I created all my templates and programs architecture. In recent months I had several case from my customers with 403 error, so I wrote to hosting "whats its going on?" and today I have answer: "Your script (MS) is full of bugs and security warring!" and atttachment with logs:

[Sun Apr 5 15:56:50 2020] [error] [client 185.23.21.246] ModSecurity: Access denied with code 403, [Rule: 'Request_FILENAME' 'moduleinterface\.php'] [id "77220960"] [rev "1"] [msg "IM360 WAF: SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)||MVN:/zenbox/admin/moduleinterface.php||MV:/zenbox/admin/moduleinterface.php||T:LITESPEED||PC:2018"] [severity "CRITICAL"] [tag "other_apps"]

IM360 WAF: SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)||

And aditionaly link to gov (WTF): https://nvd.nist.gov/vuln/detail/CVE-2014-2245

So what should I do? I don't want to move my all websites to WP. I hate WP like a Geralt, who hate portals.

[Jo Morg]

As far as I can assess those are CMSMS 1.11.10 related... what version of CMSMS are you using?

Current Description

SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are obtained from third party information.

Secondly we don't support ModSecurity as it is a flawed and not very reliable type firewall. Most hosts allow you to disable it entirely and some allow you to whitelist some rules that trigger false positives.
If you host doesn't support either, I would recommend start hunting for a new host .

So what should I do? I don't want to move my all websites to WP. I hate WP like a Geralt, who hate portals.

Let's not go that far... .
Make sure you have an up to date CMSMS installation first of all!
HTH

[Cyc]

Thx for comment! I have a several old MS installation, but 403 problem is in 2.2.12 version. So it is not old instance. Hmmm... So MS its safe and I have problem with lazy hosting, not CMS MS?

[Jo Morg]

I wouldn't say "lazy hosting" but more like overzealous hosting.
Also the log they sent to you mentions the version of CMSMS. In addition:

remote authenticated users

means, well... authenticated users. We may change policies in the future but for the moment an authenticated user is someone with some privileges on the backend. Backend Users system has been more of a separation of duties kind of users management system than a privileges separation system. We may revise that policy as long as it doesn't step on the way of flexibility but that on it's own has never been a security issue before.
And yes, the Dev Team works to make sure CMSMS is secure, we try to fix vulnerabilities as we find them or as we are notified of them and as fast as possible. That doesn't mean that there is no way it can be hacked, but surely not more than any other CMS with active development
I can say that I have been working intensively with CMSMS in collaborative projects with many developers, in many different hosts and server environments and security has been always reasonably assured so far, by both following the CMSMS recommendations and by keeping CMSMS always up to date.
And that is the main advice I would give everybody: keep CMSMS always updated!.

[Cyc]

I thank you very, very much! Now I am calm. I have last question, how can I support MS or do you have support program for money? Sometimes I have got problem with CMSMS and I need fast backup.

[Jo Morg]

Take a look at these options.

[pierrepercee]

It's very easy to optimize security: change the name of the admin folder (think to change admin_dir in config.php and give this file appropriate rights). Protect this folder with a specific htaccess (login+password).
If you want more security you can optimize your root htaccess with additional rules.
And yes, the dev team has always been concerned with security issues. I believe that in this area CMSMS is rather a good student. In your place I would be wary of a host whose only answer is "it's not me, it's my sister"

[KadiganKSB]

mod_security also flags the remote PHP snippet execution feature as a security flaw (it has its own CVE, too!). It's annoying as hell. Funnily enough, I think it was reported to them that it's for authenticated users...

I don't get why they post these as vulnerabilities at all, if it's intended operation. I mean, in the same spirit, (S)FTP(S) access can be considered a vulnerability.