Recent security issues - question

[jmcgin51]

In Calguy's announcement here: http://forum.cmsmadesimple.org/index.ph ... 4.html#new

he says that it appears that a group of people is searching for vulnerable CMSMS websites.

My question is: how do they do this?  Surely they don't just randomly start searching the billions of websites on the web, hoping to stumble across 1) a CMSMS site and 2) a CMSMS site that hasn't been upgraded.  Do they????  Is there some way they can automate this search?  Some kind of meta tag search or something?

Also, why does THIS SITE (the CMSMS official site) still list the CMSMS version that it's running?  Clear as day at the bottom of the page: "this site is currently running CMSMS 1.2.5."  Why do we advertise that?

[Nullig]

It's easily found from the comments in the generated source code for the pages, even without the "Powered by" link. If you look at the page source, you'll see at the bottom something like:



They have scripts to look for the "CMS Made Simple" string and then test for the vulnerability.

Nullig

[vilkis]

These comments could be removed from source deleting them from index.php

[blast2007]

These comments could be removed from source deleting them from index.php

Why don't comment out these lines "by default" in next release?

We won't give any help to hackers searching for vulnerable/old release.

Regards
blast

[tinhat]

These comments could be removed from source deleting them from index.php

Why don't comment out these lines "by default" in next release?

We won't give any help to hackers searching for vulnerable/old release.

Regards
blast

I agree with these sentiments. I was thinking the same earlier today. Vulnerabilities which remain unexploited are a different matter to vulnerabilities which become known and exploited. I've seen a lot of scripts in my time which are not secure (vulnerable) but get away with it by flying under the radar. Popular open source scripts can't escape by stealth. When an exploit in a widely used open source script becomes known there is much more effort by hackers to find deployed instances of it to exploit.

[vilkis]

There is meta tag
in source, also.
However, IMHO removing these tags is not solution as CMSMS could be identified  by other specific pieces of code, i.e.:

Code: Select all

stylesheet.php?templateid=

Code: Select all

name="mact"

Vilkis

[blast2007]

There is meta tag
in source, also.

Yes I mean this line also.

Code: Select all

stylesheet.php?templateid=

Stylesheet can be static (faster), so this line isn't present.

Code: Select all

name="mact"

This sentence can be denied from indexing with robots.txt

Regards
blast

[calguy1000]

IMHO this is barking up the wrong tree.

it's users recommending changes to the source so that the generating package isn't identifiable, so that updates and upgrades aren't as necessary if a security vulnerability is found.  This doesn't SOLVE anything.  it's just putting curtains on an open window.

Instead, IMHO, users should have working, verified, and regular backups, should focus on making sure that they are notified when new releases come out, and why.  Then when a new version comes out notify their customers and schedule their upgrades.

Removing things like the comments in the CMS footer is pure window dressing, a bot could just as easily request the output of any file in CMS, or post a URL that CMS could react to.

[Ted]

My question is: how do they do this?  Surely they don't just randomly start searching the billions of websites on the web, hoping to stumble across 1) a CMSMS site and 2) a CMSMS site that hasn't been upgraded.  Do they???? 

Actually, they do.  You should see the log files for our server looking for holes in Mambo/Joomla, drupal, etc...   the number of scripts still looking for vulnerable formmail.pl scripts is amazing (that was patched 10+ years ago).

And...  I can very easily script looking for a cmsms site without looking at the comments.
http://cmsmadesimple.org/version.php
http://cmsmadesimple.org/include.php

Neither are a 404?  Hmm...   it's a pretty safe bet it's a CMSMS site.

There's no rocket science here.  We're doing our best to make sure we patch things as we find them, but we can only do so much.  Keeping your site safe and backed up is your responsibility.  We're just doing our best to not be the straw on the proverbial camel's back.

Back up and maintain your camels...  err..  sites, people! 

[pb]

Searching with google:

powered by cmsmadesimple version 1.2.3 -site:cmsmadesimple.org

or another version and someone has aims to attack.

Just take the lesson "how to from the security boards with the exactly description" and the list and they start to play hacking in some seconds.

[blast2007]

Searching with google:
powered by cmsmadesimple version 1.2.3 -site:cmsmadesimple.org
or another version and someone has aims to attack.

My posts was pointing right in that direction.

it's just putting curtains on an open window.

Maybe, but leaving these lines in the core is like putting a giant blinking "OPEN" neon light upon the window

I wasn't thinking to defeat "expert" hackers but only script kiddies.

An expert hacker won't need this infos I think IMHO.

Regards
blast

[pb]

Experts or kiddies, the results are big damages and these groups are happy with the "OPEN" neon light.

[Augustas]

Another way to find CMSMS driven websites -- look at the "CMS Show Off" forum on this website.