Page 2 of 2
Re: Hacking via SQL injection
Posted: Sun Apr 26, 2015 3:26 pm
by Rolf
And why does that coder think that? Based on what?
Re: Hacking via SQL injection
Posted: Mon Apr 27, 2015 8:54 am
by burlington
Rolf wrote:And why does that coder think that? Based on what?
I have no idea! He uses CMSMS and can also write in php, which is more than I can!
Re: Hacking via SQL injection
Posted: Mon Apr 27, 2015 9:03 am
by Rolf
Than we can't do a thing...
Re: Hacking via SQL injection
Posted: Mon Apr 27, 2015 9:22 am
by burlington
Rolf wrote:Than we can't do a thing...
Point taken. I will ask him to give us chapter & verse.
Re: Hacking via SQL injection
Posted: Mon Apr 27, 2015 4:13 pm
by janvl
Hi,
I have quite some experience with sites that run CMSMS and I do not know of sites that were hacked with a SQL-injection.
When you
- keep the site uptodate
- follow the guidelines for a secure site
- have a hoster that has good security-policies
then CMSMS is pretty secure.
Much better then Wordpress, better then Joomla (I had 1 install hacked), in short better then most.
My guess of what you have written is a problem with the hoster, or your own install where permissions were not set strict enough.
Did you also check if PHPMyAdmin was hacked? Some people just forget things like that.
Kind regards,
Jan
Re: Hacking via SQL injection
Posted: Mon Apr 27, 2015 4:30 pm
by burlington
This hacker targeted 2 sites that are related, in the sense that they are about the same person's business. Same host, different accounts. Same hacker methodology. Changes user's email address, uses lost password facility, and then gets in to the CMS.
The passwords used for both the host and the CMS are 'high security'. 10-12 digit. Alpha numeric.
I can't see anything else.
Re: Hacking via SQL injection
Posted: Mon Apr 27, 2015 5:27 pm
by janvl
You did not by accident leave in the news the name instead of the author-name? Because this is a weak spot.
Did you check your local PC? Maybe a keylogger or bot or so?
Regards,
Jan
Re: Hacking via SQL injection
Posted: Mon Apr 27, 2015 5:50 pm
by burlington
janvl wrote:You did not by accident leave in the news the name instead of the author-name? Because this is a weak spot.
Jan- not too sure I understand this
Did you check your local PC? Maybe a keylogger or bot or so?
- yes. Full protection. In any case for one of the hacked sites I have not been near it for a couple of years and neither has the site owner.
Re: Hacking via SQL injection
Posted: Mon Apr 27, 2015 7:02 pm
by staartmees
If you haven't been near one of those sites for years, it was running on an old and unsafe core and modules.
Re: Hacking via SQL injection
Posted: Mon Apr 27, 2015 10:10 pm
by Dr.CSS
Is it on a shared host that might have a WP install on it or some other vulnerable system, if the sites have been upgraded to the latest CMSMS and the modules are all up to date there is a chance that another site has let someone into the server...
Re: Hacking via SQL injection
Posted: Sat May 02, 2015 3:59 pm
by janvl
"weak spot"
In the summarytemplate
$entry->author
should be
$entry->authorname
then $entry->author reveils the name of the CMSMS user that can login
Kind regards,
Jan
Re: Hacking via SQL injection
Posted: Sat May 02, 2015 4:55 pm
by burlington
Thank you. Very helpful.
Martin