CMS Builder Security?
2 posts by 2 authors in: Forums > CMS Builder
Last Post: November 17, 2008 (RSS)
We recently received an email from "The Honeypot Project" (http://rfih.1durch0.de/index.php) who collect information about online attacks and notify the site owners. They informed us that one of our sites (using CMS Builder) has been compromised and we should remove the following file:
http://shalonprice.com/cmsAdmin/uploads/thumb/bo.do?
It looks like someone was able to get in and upload something. The file has been deleted, but we would like to prevent anything like this from happening in the future. Is there any type of security issues to be concerned about? Or is there any other information about how this could have happened?
Thanks!
http://shalonprice.com/cmsAdmin/uploads/thumb/bo.do?
It looks like someone was able to get in and upload something. The file has been deleted, but we would like to prevent anything like this from happening in the future. Is there any type of security issues to be concerned about? Or is there any other information about how this could have happened?
Thanks!
Re: [KaboomJk] CMS Builder Security?
By Dave - November 17, 2008
Hi KaboomJk,
If you could email me any more information about that (to dave@interactivetools.com) I'd be happy to take a look.
Looking at the projects website that you linked to it looks like they mostly collect information on RFI attacks, which you can read able on Wikipedia here: http://en.wikipedia.org/wiki/Remote_File_Inclusion
I can't think of any way they would have got in through CMS Builder directly. CMS Builder limits what file extensions can be uploaded through the program. But it does require an upload directory that is writable and making it writable to one web app on your site typically makes it writable to any web app on your site so the /thumb/ directory would make sense as a writable dir for someone to try and hide something in.
I'd check for other scripts that you might have on the site that could have been compromised. Consider upgrading to the latest versions.
Also check your coding that you are escaping or checking any user input (data from forms or urls) that you are passing to PHP or MySQL. So for example if you have code like this:
mysite.com/viewer.php?file=detail.php
<?php include $_REQUEST['file'] ?>
That's an easy entry point because they can pass any filename they like to include and display other files.
Hope that helps. Let me know if you have any other questions or what you find out about what happened.
If you could email me any more information about that (to dave@interactivetools.com) I'd be happy to take a look.
Looking at the projects website that you linked to it looks like they mostly collect information on RFI attacks, which you can read able on Wikipedia here: http://en.wikipedia.org/wiki/Remote_File_Inclusion
I can't think of any way they would have got in through CMS Builder directly. CMS Builder limits what file extensions can be uploaded through the program. But it does require an upload directory that is writable and making it writable to one web app on your site typically makes it writable to any web app on your site so the /thumb/ directory would make sense as a writable dir for someone to try and hide something in.
I'd check for other scripts that you might have on the site that could have been compromised. Consider upgrading to the latest versions.
Also check your coding that you are escaping or checking any user input (data from forms or urls) that you are passing to PHP or MySQL. So for example if you have code like this:
mysite.com/viewer.php?file=detail.php
<?php include $_REQUEST['file'] ?>
That's an easy entry point because they can pass any filename they like to include and display other files.
Hope that helps. Let me know if you have any other questions or what you find out about what happened.
Dave Edis - Senior Developer
interactivetools.com
interactivetools.com