Hello, I trusted CMSMS script and I created all my templates and programs architecture. In recent months I had several case from my customers with 403 error, so I wrote to hosting "whats its going on?" and today I have answer: "Your script (MS) is full of bugs and security warring!" and atttachment with logs:
[Sun Apr 5 15:56:50 2020] [error] [client 185.23.21.246] ModSecurity: Access denied with code 403, [Rule: 'Request_FILENAME' 'moduleinterface\.php'] [id "77220960"] [rev "1"] [msg "IM360 WAF: SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)||MVN:/zenbox/admin/moduleinterface.php||MV:/zenbox/admin/moduleinterface.php||T:LITESPEED||PC:2018"] [severity "CRITICAL"] [tag "other_apps"]
IM360 WAF: SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 (CVE-2014-2245)||
And aditionaly link to gov (WTF): https://nvd.nist.gov/vuln/detail/CVE-2014-2245
So what should I do? I don't want to move my all websites to WP. I hate WP like a Geralt, who hate portals.
Error 403 and not optimistic security info.
Error 403 and not optimistic security info.
Last edited by Cyc on Sun Apr 05, 2020 3:51 pm, edited 1 time in total.
Re: Error 403 and not optimistic security info.
As far as I can assess those are CMSMS 1.11.10 related... what version of CMSMS are you using?
If you host doesn't support either, I would recommend start hunting for a new host .
Make sure you have an up to date CMSMS installation first of all!
HTH
Secondly we don't support ModSecurity as it is a flawed and not very reliable type firewall. Most hosts allow you to disable it entirely and some allow you to whitelist some rules that trigger false positives.From the link wrote: Current Description
SQL injection vulnerability in the News module in CMS Made Simple (CMSMS) before 1.11.10 allows remote authenticated users with the "Modify News" permission to execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php. NOTE: some of these details are obtained from third party information.
If you host doesn't support either, I would recommend start hunting for a new host .
Let's not go that far... .Cyc wrote:So what should I do? I don't want to move my all websites to WP. I hate WP like a Geralt, who hate portals.
Make sure you have an up to date CMSMS installation first of all!
HTH
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
Re: Error 403 and not optimistic security info.
Thx for comment! I have a several old MS installation, but 403 problem is in 2.2.12 version. So it is not old instance. Hmmm... So MS its safe and I have problem with lazy hosting, not CMS MS?
Re: Error 403 and not optimistic security info.
I wouldn't say "lazy hosting" but more like overzealous hosting.
Also the log they sent to you mentions the version of CMSMS. In addition:
And yes, the Dev Team works to make sure CMSMS is secure, we try to fix vulnerabilities as we find them or as we are notified of them and as fast as possible. That doesn't mean that there is no way it can be hacked, but surely not more than any other CMS with active development
I can say that I have been working intensively with CMSMS in collaborative projects with many developers, in many different hosts and server environments and security has been always reasonably assured so far, by both following the CMSMS recommendations and by keeping CMSMS always up to date.
And that is the main advice I would give everybody: keep CMSMS always updated!.
Also the log they sent to you mentions the version of CMSMS. In addition:
means, well... authenticated users. We may change policies in the future but for the moment an authenticated user is someone with some privileges on the backend. Backend Users system has been more of a separation of duties kind of users management system than a privileges separation system. We may revise that policy as long as it doesn't step on the way of flexibility but that on it's own has never been a security issue before.remote authenticated users
And yes, the Dev Team works to make sure CMSMS is secure, we try to fix vulnerabilities as we find them or as we are notified of them and as fast as possible. That doesn't mean that there is no way it can be hacked, but surely not more than any other CMS with active development
I can say that I have been working intensively with CMSMS in collaborative projects with many developers, in many different hosts and server environments and security has been always reasonably assured so far, by both following the CMSMS recommendations and by keeping CMSMS always up to date.
And that is the main advice I would give everybody: keep CMSMS always updated!.
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
Re: Error 403 and not optimistic security info.
I thank you very, very much! Now I am calm. I have last question, how can I support MS or do you have support program for money? Sometimes I have got problem with CMSMS and I need fast backup.
Re: Error 403 and not optimistic security info.
Take a look at these options.
"There are 10 types of people in this world, those who understand binary... and those who don't."
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
* by the way: English is NOT my native language (sorry for any mistakes...).
Code of Condut | CMSMS Docs | Help Support CMSMS
My developer Page on the Forge
GeekMoot 2015 in Ghent, Belgium: I was there!
GeekMoot 2016 in Leicester, UK: I was there!
DevMoot 2023 in Cynwyd, Wales: I was there!
-
- Forum Members
- Posts: 150
- Joined: Thu Jan 10, 2013 8:02 am
Re: Error 403 and not optimistic security info.
It's very easy to optimize security: change the name of the admin folder (think to change admin_dir in config.php and give this file appropriate rights). Protect this folder with a specific htaccess (login+password).
If you want more security you can optimize your root htaccess with additional rules.
And yes, the dev team has always been concerned with security issues. I believe that in this area CMSMS is rather a good student. In your place I would be wary of a host whose only answer is "it's not me, it's my sister"
If you want more security you can optimize your root htaccess with additional rules.
And yes, the dev team has always been concerned with security issues. I believe that in this area CMSMS is rather a good student. In your place I would be wary of a host whose only answer is "it's not me, it's my sister"
-
- New Member
- Posts: 1
- Joined: Wed Apr 08, 2020 2:34 pm
Re: Error 403 and not optimistic security info.
mod_security also flags the remote PHP snippet execution feature as a security flaw (it has its own CVE, too!). It's annoying as hell. Funnily enough, I think it was reported to them that it's for authenticated users...
I don't get why they post these as vulnerabilities at all, if it's intended operation. I mean, in the same spirit, (S)FTP(S) access can be considered a vulnerability.
I don't get why they post these as vulnerabilities at all, if it's intended operation. I mean, in the same spirit, (S)FTP(S) access can be considered a vulnerability.