Hacking via SQL injection

[burlington]

Two sites, related only because they have the same owner, have been hacked. The hacker only changes the Admin users. password in the database which means of course that he can then use the 'lost password' facility to get in to the CMS.
The website host says: 'DB change probably was done through some DB injection and not from the cPanel.'
The host also says: 'SQL injection targets the data residing in the database. It attempts to modify the parameters of a web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. Exploits usually occur due to coding errors as well as inadequate validation checks. In order to prevent this from happening again, I recommend making sure that all website software is kept up to date.'

One of the hacked sites is running the latest version of CMSMS. The other one an earlier version.

One way of stopping this sort of event I suppose is to disable the 'lost password' facility but how to do this and the implications of doing it are outside my 'pay grade'

Any advice please would be appreciated. Thank you.

Martin

[Rolf]

Just curious, is the admin login name like "john" and the mail address like "john@domain.com"?

[Jos]

One way of stopping this sort of event I suppose is to disable the 'lost password' facility

No this will not help preventing SQL injection or its consequences.

One of the hacked sites is running the latest version of CMSMS. The other one an earlier version.

By far not enough information. You might start with providing the full system info for both sites. And even then there will be thousands of other questions that can be asked before anyone can guess how it happened.

[burlington]

Thank you.

The site that run on 1.11.13 has the system info:

----------------------------------------------

Cms Version: 1.11.13

Installed Modules:

CMSMailer: 5.2.2
CMSPrinting: 1.0.5
FileManager: 1.4.5
MenuManager: 1.8.6
MicroTiny: 1.2.9
ModuleManager: 1.5.8
News: 2.15
Search: 1.7.12
ThemeManager: 1.1.8
FormBuilder: 0.8.1.1
Captcha: 0.5.2
CGExtensions: 1.38.1
SiteMapMadeSimple: 1.2.7
Showtime: 3.4
TinyMCE: 2.9.12
JQueryTools: 1.2.5
CGSimpleSmarty: 1.7
Products: 2.19.6


Config Information:

php_memory_limit:
process_whole_template:
max_upload_size: 2000000
url_rewriting: none
page_extension:
query_var: page
image_manipulation_prog: GD
auto_alias_content: true
locale:
default_encoding: utf-8
admin_encoding: utf-8
set_names: true


Php Information:

phpversion: 5.4.19
md5_function: On (True)
gd_version: 2
tempnam_function: On (True)
magic_quotes_runtime: Off (False)
E_STRICT: 2048
E_DEPRECATED: 0
memory_limit: 256M
max_execution_time: 30
output_buffering: On
safe_mode: Off (False)
file_uploads: On (True)
post_max_size: 8M
upload_max_filesize: 2M
session_save_path: /tmp (1777)
session_use_cookies: On (True)
xml_function: On (True)
xmlreader_class: On (True)


Server Information:

Server Api: cgi-fcgi
Server Db Type: MySQL (mysqli)
Server Db Version: 5.5.40
Server Db Grants: Found a "GRANT ALL" statement that appears to be suitable
Server Time Diff: No filesystem time difference found


________________________________________
and the site that uses 1.11.7 has:

---------------------------------------------

Cms Version: 1.11.7

Installed Modules:

CMSMailer: 5.2.1
CMSPrinting: 1.0.4
FileManager: 1.4.3
MenuManager: 1.8.5
MicroTiny: 1.2.5
ModuleManager: 1.5.5
News: 2.12.12
Search: 1.7.8
ThemeManager: 1.1.8
TinyMCE: 2.9.12
FormBuilder: 0.7.4
CGExtensions: 1.38
SiteMapMadeSimple: 1.2.7
Showtime: 3.3
Album: 1.10.3
Captcha: 0.4.6
Gallery: 1.6.1


Config Information:

php_memory_limit:
process_whole_template:
max_upload_size: 2000000
url_rewriting: none
page_extension:
query_var: page
image_manipulation_prog: GD
auto_alias_content: true
locale:
default_encoding: utf-8
admin_encoding: utf-8
set_names: true


Php Information:

phpversion: 5.4.19
md5_function: On (True)
gd_version: 2
tempnam_function: On (True)
magic_quotes_runtime: Off (False)
E_STRICT: 2048
E_DEPRECATED: 0
memory_limit: 256M
max_execution_time: 30
output_buffering: On
safe_mode: Off (False)
file_uploads: On (True)
post_max_size: 8M
upload_max_filesize: 2M
session_save_path: /tmp (1777)
session_use_cookies: On (True)
xml_function: On (True)
xmlreader_class: On (True)


Server Information:

Server Api: cgi-fcgi
Server Db Type: MySQL (mysqli)
Server Db Version: 5.5.40
Server Db Grants: Found a "GRANT ALL" statement that appears to be suitable


----------------------------------------------

[burlington]

Just curious, is the admin login name like "john" and the mail address like "john@domain.com"?

Thank you
No. The admin user's name is nothing like a personal name and the @ address bears no relationship to the domain name.

Regards

Martin

[Jos]

CMS version: 1.11.13 is NOT the latest version
1.12 has some security fixes

[Jo Morg]

Two sites, related only because they have the same owner, have been hacked. The hacker only changes the Admin users. password in the database which means of course that he can then use the 'lost password' facility to get in to the CMS.

The two sites reside on the same host, server and probably under the same account? Are there any other scripts installed other than CMSMS on that account/s?

The website host says: 'DB change probably was done through some DB injection and not from the cPanel.'
The host also says: 'SQL injection targets the data residing in the database. It attempts to modify the parameters of a web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. Exploits usually occur due to coding errors as well as inadequate validation checks. In order to prevent this from happening again, I recommend making sure that all website software is kept up to date.'

Probably but not surely. There are other ways to get hold of sensitive data and access the database.

One way of stopping this sort of event I suppose is to disable the 'lost password' facility

No this will not help preventing SQL injection or its consequences.

As Jos implied, to be able to make use of the 'lost password' facility for this the database must be compromised first, and that is what needs to be stopped.
Once you updated and fixed the sites (hopefully you have full periodic backups), I recommend changing all passwords, including the CPanel ones (access to CPanel can also have been compromised), the FTP ones too if used. There are too many ways to get hold of sensitive data to be sure that this was just an SQL injection issue.
Besides CMSMS has been tested, and has mechanisms to sanitize user input, which are also available to 3rd party modules.
We still need to be able to reproduce this to be able to access if it is a CMSMS issue, and be able to fix it in case it is.

[burlington]

CMS version: 1.11.13 is NOT the latest version
1.12 has some security fixes

Ok point taken BUT it is new enough for the moment.

[burlington]

Two sites, related only because they have the same owner, have been hacked. The hacker only changes the Admin users. password in the database which means of course that he can then use the 'lost password' facility to get in to the CMS.

The two sites reside on the same host, server and probably under the same account? Are there any other scripts installed other than CMSMS on that account/s?

The website host says: 'DB change probably was done through some DB injection and not from the cPanel.'
The host also says: 'SQL injection targets the data residing in the database. It attempts to modify the parameters of a web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. Exploits usually occur due to coding errors as well as inadequate validation checks. In order to prevent this from happening again, I recommend making sure that all website software is kept up to date.'

Probably but not surely. There are other ways to get hold of sensitive data and access the database.

One way of stopping this sort of event I suppose is to disable the 'lost password' facility

No this will not help preventing SQL injection or its consequences.

As Jos implied, to be able to make use of the 'lost password' facility for this the database must be compromised first, and that is what needs to be stopped.
Once you updated and fixed the sites (hopefully you have full periodic backups), I recommend changing all passwords, including the CPanel ones (access to CPanel can also have been compromised), the FTP ones too if used. There are too many ways to get hold of sensitive data to be sure that this was just an SQL injection issue.
Besides CMSMS has been tested, and has mechanisms to sanitize user input, which are also available to 3rd party modules.
We still need to be able to reproduce this to be able to access if it is a CMSMS issue, and be able to fix it in case it is.

All passwords have been changed. What next please?

[burlington]

As an alternative solution, I have been told today by a coder that the CMSMS 'contact form' system is vulnerable.

Any news on this?

Again, another thing beyond my 'pay grade'. Perhaps the solution to this is to use a 3rd party contact form.

Martin

[Jo Morg]

As an alternative solution, I have been told today by a coder that the CMSMS 'contact form' system is vulnerable.

Any news on this?

IIRC it was removed from the core a long time ago. So yeah look for alternatives. Actually as you have FormBuilder installed, why not use it for a contact form? Can't get any simpler than using it's sample template...

[burlington]

As an alternative solution, I have been told today by a coder that the CMSMS 'contact form' system is vulnerable.

Any news on this?

IIRC it was removed from the core a long time ago. So yeah look for alternatives. Actually as you have FormBuilder installed, why not use it for a contact form?

Thanks BUT it is installed AND was used to create the form.

[Jo Morg]

As an alternative solution, I have been told today by a coder that the CMSMS 'contact form' system is vulnerable.

Any news on this?

IIRC it was removed from the core a long time ago. So yeah look for alternatives. Actually as you have FormBuilder installed, why not use it for a contact form?

Thanks BUT it is installed AND was used to create the form.

You really have to be explicit and clear with the info you provide.

I have been told today by a coder that the CMSMS 'contact form' system is vulnerable.

If by "the CMSMS 'contact form'" you mean Form Builder then:

1. Form Builder is not a CMSMS core module;
2. You need to upgrade it to the latest version in any case (the one with version 0.7.4 as it is buggy and unstable, but not insecure afaik);
3. Stating that "a coder said that...." has absolutely no meaning nor does it help fixing any potential issue that might exist;
4. From the number of downloads of Form Builder you would expect more security reports if it was insecure (actually that is also true regarding CMSMS);

So far my recommendations are the same:
- Recover from a backup;
- Update core and 3rd party modules;
- Change all pertinent credentials;
- Look for other potential open doors;
- Take further steps to secure CMSMS: http://docs.cmsmadesimple.org/general-i ... ring-cmsms;

[Rolf]

As an alternative solution, I have been told today by a coder that the CMSMS 'contact form' system is vulnerable.

There are several third party contact forms you can use within the CMSMS core. Unless we know which one this is, we can't help...

[burlington]

There are several third party contact forms you can use within the CMSMS core. Unless we know which one this is, we can't help...

The version is:

Formbuilder 0.8.1.1