Hacking via SQL injection
Re: Hacking via SQL injection
And why does that coder think that? Based on what?
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
-
- Power Poster
- Posts: 444
- Joined: Wed Dec 27, 2006 5:15 pm
Re: Hacking via SQL injection
I have no idea! He uses CMSMS and can also write in php, which is more than I can!Rolf wrote:And why does that coder think that? Based on what?
Re: Hacking via SQL injection
Than we can't do a thing...
- + - + - + - + - + - + -
LATEST TUTORIAL AT CMS CAN BE SIMPLE:
Migrating Company Directory module to LISE
Migrating Company Directory module to LISE
- + - + - + - + - + - + -
-
- Power Poster
- Posts: 444
- Joined: Wed Dec 27, 2006 5:15 pm
Re: Hacking via SQL injection
Point taken. I will ask him to give us chapter & verse.Rolf wrote:Than we can't do a thing...
Re: Hacking via SQL injection
Hi,
I have quite some experience with sites that run CMSMS and I do not know of sites that were hacked with a SQL-injection.
When you
- keep the site uptodate
- follow the guidelines for a secure site
- have a hoster that has good security-policies
then CMSMS is pretty secure.
Much better then Wordpress, better then Joomla (I had 1 install hacked), in short better then most.
My guess of what you have written is a problem with the hoster, or your own install where permissions were not set strict enough.
Did you also check if PHPMyAdmin was hacked? Some people just forget things like that.
Kind regards,
Jan
I have quite some experience with sites that run CMSMS and I do not know of sites that were hacked with a SQL-injection.
When you
- keep the site uptodate
- follow the guidelines for a secure site
- have a hoster that has good security-policies
then CMSMS is pretty secure.
Much better then Wordpress, better then Joomla (I had 1 install hacked), in short better then most.
My guess of what you have written is a problem with the hoster, or your own install where permissions were not set strict enough.
Did you also check if PHPMyAdmin was hacked? Some people just forget things like that.
Kind regards,
Jan
-
- Power Poster
- Posts: 444
- Joined: Wed Dec 27, 2006 5:15 pm
Re: Hacking via SQL injection
This hacker targeted 2 sites that are related, in the sense that they are about the same person's business. Same host, different accounts. Same hacker methodology. Changes user's email address, uses lost password facility, and then gets in to the CMS.
The passwords used for both the host and the CMS are 'high security'. 10-12 digit. Alpha numeric.
I can't see anything else.
The passwords used for both the host and the CMS are 'high security'. 10-12 digit. Alpha numeric.
I can't see anything else.
Re: Hacking via SQL injection
You did not by accident leave in the news the name instead of the author-name? Because this is a weak spot.
Did you check your local PC? Maybe a keylogger or bot or so?
Regards,
Jan
Did you check your local PC? Maybe a keylogger or bot or so?
Regards,
Jan
-
- Power Poster
- Posts: 444
- Joined: Wed Dec 27, 2006 5:15 pm
Re: Hacking via SQL injection
- yes. Full protection. In any case for one of the hacked sites I have not been near it for a couple of years and neither has the site owner.janvl wrote:You did not by accident leave in the news the name instead of the author-name? Because this is a weak spot.
Jan- not too sure I understand this
Did you check your local PC? Maybe a keylogger or bot or so?
-
- Power Poster
- Posts: 1049
- Joined: Wed Mar 19, 2008 4:54 pm
Re: Hacking via SQL injection
If you haven't been near one of those sites for years, it was running on an old and unsafe core and modules.
Re: Hacking via SQL injection
Is it on a shared host that might have a WP install on it or some other vulnerable system, if the sites have been upgraded to the latest CMSMS and the modules are all up to date there is a chance that another site has let someone into the server...
Re: Hacking via SQL injection
"weak spot"
In the summarytemplate
$entry->author
should be
$entry->authorname
then $entry->author reveils the name of the CMSMS user that can login
Kind regards,
Jan
In the summarytemplate
$entry->author
should be
$entry->authorname
then $entry->author reveils the name of the CMSMS user that can login
Kind regards,
Jan
-
- Power Poster
- Posts: 444
- Joined: Wed Dec 27, 2006 5:15 pm
Re: Hacking via SQL injection
Thank you. Very helpful.
Martin
Martin