Jump to:

1835 Posts in 1139 Topics by 554 members

Blog Module

SilverStripe Forums » Blog Module » Posted Spam -> Blog module hacked!

Discuss the Blog Module.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1 2 3 4 5
Go to End
Author Topic: 4471 Views
  • Fuzz10
    Avatar
    Community Member
    786 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    Hmmm... that is interesting. ;-)

    Thanks for the quick fix Banal !

  • banal
    Avatar
    Community Member
    901 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    Hi cliersch

    The patch fixes the issue for the version in trunk. In trunk, there's a helper method called IsOwner that checks for permissions, while in the official release, Permission::check('ADMIN') was used.
    They do more or less the same thing.

    If you got the IsOwner method in your BlogHolder Class, then you should be safe to apply the patch I provided. If you want to check the vulnerability, go ahead... use this file I attached (it's a simple html form. You should replace http://SomeSilverStripeBlogSite.com in the source code with your website http://nestbau.info/). Using this form, you can send blog posts to your site without logging in.
    If you apply the patch, this is no longer possible.

  • cliersch
    Avatar
    Community Member
    75 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    Hi banal! Thank you very much for the quick help! I checked my the Website with your HTML Post Form. It is secured! Postings like these are not longer allowed! Great work!
    I'm goinig to update now all our sites...
    Guess this is going to be part of the next blog release.

  • banal
    Avatar
    Community Member
    901 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    Oh dear. Out of curiosity I checked if this works with silverstripe.com and indeed it did...
    http://www.silverstripe.com/blog/

    Crap!
    Some admin fix this please... and remove my "proof of concept" html file, as it would probably do more harm than good.

  • Fuzz10
    Avatar
    Community Member
    786 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    whoops... did you mail Silverstripe about this already ?

  • banal
    Avatar
    Community Member
    901 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    Yeah.. I tried to get in touch with them. But most likely they're all sleeping :/

  • Double-A-Ron
    Avatar
    Community Member
    603 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    Ouch. Well at least it was finally caught before rampant damage was caused.

    Can I suggest Banal's fix be put in the "Announcements" section of the "Blog Module" forum, with a link to this thread?

    Well done guys and gals.

    Cheers
    Aaron

  • Sam
    Avatar
    Administrator
    679 Posts

    Re: Posted Spam -> Blog module hacked! Link to this post

    Hi everyone,

    Thanks for everyone's help in getting to the bottom of this issue. We have committed a fix for this to the SVN trunk of blog. If you are using trunk, the best thing to do now is to update to the latest revision of trunk - r81263.

    For those of you on version 0.2.0 of blog, we will be releasing an 0.2.1 release in the next few hours. The 0.2.1 release will be the same as 0.2.0 except for this fix.

    Thanks,
    Sam

    4471 Views
Page: 1 2 3 4 5
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.