Hi
the following entry i found in the access log
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
it is simple to hack the server with an installed cmsms
i think it has to be fixed as soon as possible?
CMSMS Version 0.13 installed on a SUSE 10.0
kind regards
Grebog
p.s.
i allready have had several alien files in the FCKEdit template directory of another domain with an also install cmsms
but i deleted the files. i think it was another hacking.
CMSMS Site Hacked
-
Grebog
CMSMS Site Hacked
Last edited by Rolf on Mon Apr 02, 2012 7:53 am, edited 2 times in total.
Reason: removed hacked code/links
Reason: removed hacked code/links
Re: CMSMS Site Hacked
And index.php hasn't been changed? The page variable doesn't include or run anything.
What else do you have installed on the server? phpbb or anything like that?
What else do you have installed on the server? phpbb or anything like that?
-
Grebog
Re: CMSMS Site Hacked
hi
the index isn't modified, phpbb is also installed an runs in an iframe. the site is www.spelunke.com
http://xpl.netmisphere2.com/cmd.gif
this isn't an image but a php-script, which was executed through cmsms or the smarty template engine. is it possible?
or how can i protect my server?
grebog
p.s. i have now modified the index.php so a "http" or "ftp" in the $page parameter should be blocked
the index isn't modified, phpbb is also installed an runs in an iframe. the site is www.spelunke.com
http://xpl.netmisphere2.com/cmd.gif
this isn't an image but a php-script, which was executed through cmsms or the smarty template engine. is it possible?
or how can i protect my server?
grebog
p.s. i have now modified the index.php so a "http" or "ftp" in the $page parameter should be blocked
Re: CMSMS Site Hacked
I did a similar test on my system here trying to get that to happen, and it doesn't. Not sure what's going on, but I will add code to sanitize any kind of http://, ftp:// stuff from page as well.
Has anyone else tried to duplicate this?
Has anyone else tried to duplicate this?
Re: CMSMS Site Hacked
I just ran some tests on a couple of sites that I'm working with that use 0.13
This was on 2 different sites on 2 different hosts. Bluehost and Network Solutions.
I get 404 responses, it doesn't seem to leave the domain, just checks against the database and handles from there.
-K
This was on 2 different sites on 2 different hosts. Bluehost and Network Solutions.
I get 404 responses, it doesn't seem to leave the domain, just checks against the database and handles from there.
-K
Re: CMSMS Site Hacked
I don't know the internals of CMSMS very well, but from what I've seen I'd have to say that script I think would have to be run locally and even then I wonder how far it would go. Anyone want to run a test? 
A thought would be to restrict php exectution in the uploads directory since thats about the only way to get something like that localized without having total access. This can be done with either apache configuration or a .htaccess pretty easily.
A thought would be to restrict php exectution in the uploads directory since thats about the only way to get something like that localized without having total access. This can be done with either apache configuration or a .htaccess pretty easily.
Re: CMSMS Site Hacked
I even made a test file that does the same sort of thing.
http://cmsmadesimple.org/test.gif
Basically, it should show that var_dump if it's getting executed somewhere. I'm not seeing it, even using customized 404 template/messages or commenting out the 404 code from index.php.
http://cmsmadesimple.org/test.gif
Basically, it should show that var_dump if it's getting executed somewhere. I'm not seeing it, even using customized 404 template/messages or commenting out the 404 code from index.php.
-
kevin360
Re: CMSMS Site Hacked
Tried it too on a csm-daily from a day or two ago, nothing happens except for a 404 Not Found.
-
Grebog
Re: CMSMS Site Hacked
Hello
ok, many thanks for your work.
i think, there was another program, that has the hole for the hack, but i don't know which one. i have 25 domains on my server and several installed programs. i.e. in a fckeditor template dir (in the cmsms modules dir), there were several evil scripts. the template dir has also the writeaccess for all (777)
i made nearly daily a system update. and i have renamed several tools like wget, lynx and so on. if i find out more, i will tell you.
until now i can't find any hacking in the access logs.
Grebog
ok, many thanks for your work.
i think, there was another program, that has the hole for the hack, but i don't know which one. i have 25 domains on my server and several installed programs. i.e. in a fckeditor template dir (in the cmsms modules dir), there were several evil scripts. the template dir has also the writeaccess for all (777)
i made nearly daily a system update. and i have renamed several tools like wget, lynx and so on. if i find out more, i will tell you.
until now i can't find any hacking in the access logs.
Grebog
