CMS Made Simple Forums

Hi
the following entry i found in the access log

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

it is simple to hack the server with an installed cmsms

i think it has to be fixed as soon as possible?

CMSMS Version 0.13 installed on a SUSE 10.0

kind regards
Grebog

p.s.
i allready have had several alien files in the FCKEdit template directory of another domain with an also install cmsms
but i deleted the files. i think it was another hacking.

And index.php hasn't been changed?  The page variable doesn't include or run anything.

What else do you have installed on the server?  phpbb or anything like that?

hi

the index isn't modified, phpbb is also installed an runs in an iframe. the site is www.spelunke.com

http://xpl.netmisphere2.com/cmd.gif

this isn't an image but a php-script, which was executed through cmsms or the smarty template engine. is it possible?

or how can i protect my server?

grebog

p.s. i have now modified the index.php so a "http" or "ftp" in the $page parameter should be blocked

I did a similar test on my system here trying to get that to happen, and it doesn't.  Not sure what's going on, but I will add code to sanitize any kind of http://, ftp:// stuff from page as well.

Has anyone else tried to duplicate this?

I just ran some tests on a couple of sites that I'm working with that use 0.13

This was on 2 different sites on 2 different hosts. Bluehost and Network Solutions.

I get 404 responses, it doesn't seem to leave the domain, just checks against the database and handles from there.

-K

I don't know the internals of CMSMS very well, but from what I've seen I'd have to say that script I think would have to be run locally and even then I wonder how far it would go. Anyone want to run a test?

A thought would be to restrict php exectution in the uploads directory since thats about the only way to get something like that localized without having total access. This can be done with either apache configuration or a .htaccess pretty easily.

I even made a test file that does the same sort of thing.

http://cmsmadesimple.org/test.gif

Basically, it should show that var_dump if it's getting executed somewhere.  I'm not seeing it, even using customized 404 template/messages or commenting out the 404 code from index.php.

Tried it too on a csm-daily from a day or two ago, nothing happens except for a 404 Not Found.

Hello

ok, many thanks for your work.

i think, there was another program, that has the hole for the hack, but i don't know which one. i have 25 domains on my server and several installed programs. i.e. in a fckeditor template dir (in the cmsms modules dir), there were several evil scripts. the template dir has also the writeaccess for all (777)

i made nearly daily a system update. and i have renamed several tools like wget, lynx and so on. if i find out more, i will tell you.
until now i can't find any hacking in the access logs.

Grebog