Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Blog Module

Discuss the Blog Module.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Posted Spam -> Blog module hacked!


Reply

35 Posts   4713 Views

Avatar
Willr

7 July 2009 at 11:15am Forum Moderator, 5511 Posts

..... and you cannot create one by the "dev/build" way.

Yes you most certainly can recreate admin members via dev/build if no members exist. You can even specify the username and password via dev/build?username=mynewuser&password=password.

I have no idea what else you can try apart from looking through the logs for the IP address. Seeing who is doing it / block that IP. And is it only the blog module - they haven't added any pages else where?. What happens if you disable the blog module (or comment out the code which allows users to write blogs on the front end)

Avatar
Double-A-Ron

7 July 2009 at 11:57am (Last edited: 7 July 2009 11:57am), Community Member, 604 Posts

Hi cliersch,

Shot in the dark. But can you open up /mysite/_config.php and just make sure there isn't a line in there that looks like this:

Security::setDefaultAdmin('admin', 'password');

If it's there, delete it.

It really sounds like you need to check your server logs on this though. You need to find out what URL they are using to post these comments (if at all). Check the datestamp on the post and try to match it up with a time in your log - they should match.

Cheers
Aaron

Avatar
banal

7 July 2009 at 6:28pm (Last edited: 7 July 2009 6:28pm), Community Member, 901 Posts

I tried logging in to the site using admin/password and that doesn't work. I also tried willrs suggestion to create a new user. That didn't work either. Seems like the CMS is still protected...
Aaron made a very good suggestion though. Look up the blog post timestamps and compare them with your access log. One should be able to tell what URL was used to create the blog posts.

Still: I'd change all the passwords of your website. Control Panel, FTP, Database (and others that might exist). Use distinct and secure passwords (obviously)

Avatar
cliersch

7 July 2009 at 10:19pm (Last edited: 7 July 2009 11:17pm), Community Member, 75 Posts

@Double-A-Ron
I have no DefaultAdmin set inside the config.

1. We use only an ssh acces to the server. I haven't found any suspicious files or new code there - just my Silverstipe and Blog Module.

2. This morning we checked the Log files and found the entries for the latest spam (here are the last 3 - postet from different IPs and Browsers):

xx.xx.xxx.xx - - [07/Jul/2009:03:22:03 +0200] "POST /news/BlogEntryForm HTTP/1.1" 302 - "http://www.nestbau.info/news/post" "Mozilla/4.0 (compatible; MSIE 6.0
; Windows NT 5.0)"
yy.yy.yyy.yy - - [07/Jul/2009:06:19:47 +0200] "POST /news/BlogEntryForm HTTP/1.1" 302 - "http://www.nestbau.info/news/post" "Mozilla/4.0 (compatible; MSIE 6.
0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 1.0.3705)"
zzz.zzz.zzz.zzz - - [07/Jul/2009:09:04:51 +0200] "POST /news/BlogEntryForm HTTP/1.1" 302 - "http://www.nestbau.info/news/post" "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0; KTXN)"

Guess that means the entries are coming across the URL - someone is able to execute the BlogEntryForm without permission!
Thats a security problem of the blog module or not?
What should I to to stop this?

Avatar
banal

8 July 2009 at 12:50am Community Member, 901 Posts

Bad news everyone. I just installed the Blog module and it is indeed very vulnerable to these kinds of attacks. No login checks whatsoever are being done when form data is sent to the server.
Here's a post I just created: http://nestbau.info/testing-vulnerability/

I used the official module download. Will check if the vulnerability is still present in trunk and file a bug report.

Avatar
banal

8 July 2009 at 1:02am Community Member, 901 Posts

For a quick fix, add the following (colored red) to your BlogHolder.php File (BlogHolder_Controller Class):

// @line 168
function BlogEntryForm() {
   
   if(!Permission::check('ADMIN')){
      return Security::permissionFailure($this, _t('BlogHolder.HAVENTPERM', 'Posting blogs is an administrator task. Please log in.'));
   }
   

// @line 347
function postblog($data, $form) {
   
   if(!Permission::check('ADMIN')){
      return Security::permissionFailure($this, _t('BlogHolder.HAVENTPERM', 'Posting blogs is an administrator task. Please log in.'));
   }
   

Avatar
banal

8 July 2009 at 1:14am (Last edited: 8 July 2009 1:25am), Community Member, 901 Posts

Here's a patch that fixes the issue with the current version in trunk (rev. 81246)
Will submit a ticket now.

Update Ticket is here: http://open.silverstripe.org/ticket/4344

Avatar
cliersch

8 July 2009 at 1:41am (Last edited: 8 July 2009 1:42am), Community Member, 75 Posts

This is bad! But good you found a solution!!! Thanks!

I just build in your "red code" above inside the BlogHolder.php. Now I'm able to post as logged in admin but - is it save now? How can I test this?

When I'm going to use your patch I'm not able to post as an admin user either.
Your patch uses

if(!$this->IsOwner())

insted of

if(!Permission::check('ADMIN'))"

and is adding something in function post()