logo
Create Account |  Retrieve Password
header ruleheader rule

2.0 PR1 - Preview Release

0.97 - Stable

 
Back to Security Concerns

security informations and fix for exponent 0.96.6 and 0.97
neryo
Posted on 02/19/10 06:06:03
Number of posts: 57
www.syncronika.it www.neryo.com www.programmazione-web.com
neryo posts:

hi all,

In this period exponent CMS is under hacker attack, here i would like inform the community that there are important informations to be consider in order to preserve the security of our preferred CMS.

  • enabling only modules that you are really using
  • during installation not use the default prefix for database table (it would be great to insert a generator of dynamic database prefix)


And into articlemodule/actions/view_article.php there is a bug that permit a hacker to execute arbitrary SQL code.

replace this code

$article = $db->selectObject("article","id=".$_GET['id']);

to

$article = $db->selectObject("article","id=".intval($_GET['id']));

through this bug the hackers can do simple code injection using union string and take out the password hashes....

For now it's all!

neryo


 



 

Replies:

Untitled Post
tesmar
Posted on 02/19/10 08:16:13
Number of posts: 25
tesmar replies:

Does this affect 2.0?



Untitled Post
neryo
Posted on 02/19/10 10:10:09
Number of posts: 57
www.syncronika.it www.neryo.com www.programmazione-web.com
neryo replies:

quote:

Does this affect 2.0?

i don't know, try to check the code...



Untitled Post
bobcoder
Posted on 02/19/10 10:28:02
Number of posts: 180
http://www.exponentcmsthemes.com A call to create/modify css themes for Exponent CMS
bobcoder replies:

Hi All

I've been looking into this myself. the suggested fix is what is needed, however i wish to add something else here, PASSWORDS!

The people behind this only seem to use this hack when they search for new sites ('My new Exponent site' etc)

http://www.google.com.sa/search?hl=ar&safe=active&client=firefox-a&rls=org.mozilla:ar:official&hs=qL5&q=%22my+new+exponent+site%22&start=10&sa=N according to my server logs anyway. They then go to the www.example.com/login.php and try their luck with admin admin etc then pass in the info to the URL to inject the code.

r--

There are many sites out there that keep a huge list of passwords and their MD5 equivilents. it doesn't take a genius to find and use these just ask Google for MD5 reverse passwords and you'll get a hundred sites offering this so........if you have week passwords...change them. That goes for databse passwords, admin password and ftp.

I know that there are a lot of people out there working on supplying the fix/patch for this as we speak. However in the meantime please be a secure as possible with your passwords and code. What has been suggested at the top of this post is excellent and with a combination of both suggestions here it will secure your site against this sort of hack.

Just a bit more info on it really.

Rob



Untitled Post
bobcoder
Posted on 02/19/10 10:35:04
Number of posts: 180
http://www.exponentcmsthemes.com A call to create/modify css themes for Exponent CMS
bobcoder replies:

Sorry.... just to add to the above. see how they are using a union to extract the username and password....once the have this they can then go and get the reverse MD5 if it a EASY password. :-)

Thats me out now.

Rob



Untitled Post
neryo
Posted on 02/19/10 10:46:37
Number of posts: 57
www.syncronika.it www.neryo.com www.programmazione-web.com
neryo replies:

quote:

Sorry.... just to add to the above. see how they are using a union to extract the username and password....once the have this they can then go and get the reverse MD5 if it a EASY password. :-)

Thats me out now.

Rob

 

it's right share the hack fix not to write how to make a hacking a exponent web site....

 

remove this link please.. ;)

 



Untitled Post
bobcoder
Posted on 02/19/10 10:48:55
Number of posts: 180
http://www.exponentcmsthemes.com A call to create/modify css themes for Exponent CMS
bobcoder replies:

quote:

 

it's right share the hack fix not to write how to make a hacking a exponent web site....

 

remove this link please.. ;)

 

Hi

Shoot yeah sorry its gone. Got carried away trying to explain :-)

Rob



Untitled Post
oicadmin
Exponent Foo Master
Posted on 02/19/10 20:12:26
Number of posts: 92
Fred Dirkse OIC Group, Inc. - Web Design, Web Hosting, and ExponentCMS Support & Customizations.
oicadmin replies:

Here is a quick and dirty fix for the current issues.
In 2.0 and .97 sites, open your index.php and find:
$router->routeRequest();

Add this right underneath:

foreach ($_GET as $key=>$gp)
{
if ($key == 'id') $_GET[$key] = intval($gp);
}

I'm not sure the ideal place to put it in a 96.3 install, but perhaps someone can work that out and post.

You could also just check for $_GET['id'] isset and !is_numeric and intval it if true.

Ideally, we need to sanitize all input throughout the system. It is in many places, but obviously not in others. This should help for the time being though.



Untitled Post
oicadmin
Exponent Foo Master
Posted on 02/20/10 01:58:53
Number of posts: 92
Fred Dirkse OIC Group, Inc. - Web Design, Web Hosting, and ExponentCMS Support & Customizations.
oicadmin replies:

You can use this also, which I think is a bit more efficient:

if (isset($_GET['id']) && !is_numeric($_GET['id'])) $_GET['id'] = intval($_GET['id']);
 

If your index.php file has a $router->routeRequest() call in it, place that line right below it.

If it's an older install and does not have the router object, then put that line right below the include for exponent.php.

 

 



Untitled Post
neryo
Posted on 02/20/10 03:39:59
Number of posts: 57
www.syncronika.it www.neryo.com www.programmazione-web.com
neryo replies:

quote:

You can use this also, which I think is a bit more efficient:

if (isset($_GET['id']) && !is_numeric($_GET['id'])) $_GET['id'] = intval($_GET['id']);
 

If your index.php file has a $router->routeRequest() call in it, place that line right below it.

If it's an older install and does not have the router object, then put that line right below the include for exponent.php.

 

 

yes, good idea!



Untitled Post
bobcoder
Posted on 02/20/10 04:12:00
Number of posts: 180
http://www.exponentcmsthemes.com A call to create/modify css themes for Exponent CMS
bobcoder replies:

Hi

Implemented this on my production sites now and can't replicate the hack on my test sites. Going through all he modules now for a belt and braces approach.

Rob



$user variable test
shote
Posted on 02/22/10 04:25:01
Number of posts: 18
Let the Source be with you!
shote replies:

And I think is much better to use exponent_users_isLoggedIn() function for testing if there is a proper $user variable set, instead of simple " if ($user) { .... " 



SQL Injection...

I'm Online
chloe
Posted on 02/28/10 15:26:24
Number of posts: 1
chloe replies:

Thanks for that.  I was worried about hacks with SQL. 



Need some clarification
BJKline
Posted on 03/30/10 09:36:37
Number of posts: 61
BJKline replies:

If i am understanding these posts I need to add if (isset($_GET['id']) && !is_numeric($_GET['id'])) $_GET['id'] = intval($_GET['id']); below $router->routeRequest(); in index.php. Also table prefixes should be something other than exponent. Is there a quick way to rename all the tables in my database? Or do I have to rename all the one at a time. I did them one at a time on my test install using phpMyAdmin. I have 4 other production sites to fix so I would like to find the best way to fix these issues.



Untitled Post
neryo
Posted on 04/03/10 06:58:44
Number of posts: 57
www.syncronika.it www.neryo.com www.programmazione-web.com
neryo replies:

quote:

If i am understanding these posts I need to add if (isset($_GET['id']) && !is_numeric($_GET['id'])) $_GET['id'] = intval($_GET['id']); below $router->routeRequest(); in index.php. Also table prefixes should be something other than exponent. Is there a quick way to rename all the tables in my database? Or do I have to rename all the one at a time. I did them one at a time on my test install using phpMyAdmin. I have 4 other production sites to fix so I would like to find the best way to fix these issues.

for renaming table prefix you can use this script ruleant.blogspot.com/2009/03/rename-multiple-tables-in-mysql.html


i have already tested it and it works fine..

bye

neryo



Untitled Post
BJKline
Posted on 04/06/10 22:22:11
Number of posts: 61
BJKline replies:

quote:

for renaming table prefix you can use this script ruleant.blogspot.com/2009/03/rename-multiple-tables-in-mysql.html


i have already tested it and it works fine..

bye

neryo

Thanks for that link. I just tried it and it works great!




Login to reply to this topic.

bottom
community report bug
arrow  Documentation 
arrow  F.A.Q's 
arrow  User's Guide 
arrow  Designer's Guide 
arrow  Developer's Guide 
arrow  Tutorials 
arrow  Installation 
arrow  Upgrade 
arrow  Migration 
arrow  Multisite Manager 
arrow  International Community 
arrow  Irc (Chat) 
arrow  Forums 
arrow  Commercial Support 
Buy Phentermine
Buy Priligy
Buy valium
Buy Cialis
Buy Codeine
Buy Duromine
Buy prednisone
Buy Strattera
header rule
Exponent CMS: Content Management System Web Hosting and Exponent CMS Support
Provided by OIC Group Inc., Peoria Illinois IL
cms rim spec