Firstly, I am new to fckEditor. Secondly, I am reasonably new to web development. Thirdly, I have spent ages scouring this forum and the web looking for a concrete answer to what I am about to ask, and although some sites or posts seem to point to an answer I am still confused.
I am running fckEditor on an asp page that writes a feedback form to an access mdb. I recently found a whole bunch of records in my mdb that look something like the following:
At last...
<a href= ></a> *
Now, I am pretty sure I am the victim of a vulnerability exploitation, and I have looked at my fckEditor setup but can't find any sign of actual malicious damage. Can someone please explain to me what these guys are doing, how I can check if they have been successful, and how can I ensure they don't do it in the future? I am using the newest fckEditor release, my filemanager is disabled, and the fckEditor tree is in my web root (which I now understand could be a problem from what I have read on here).
This really has got me baffled, so a detailed explanation would be appreciated. I apologise for having to ask and not being able to figure this out from previous posts, and maybe it is the late hour, but I am just unsure of what is actually happening here.
Ash.
I am running fckEditor on an asp page that writes a feedback form to an access mdb. I recently found a whole bunch of records in my mdb that look something like the following:
At last...
<a href= ></a> *
Now, I am pretty sure I am the victim of a vulnerability exploitation, and I have looked at my fckEditor setup but can't find any sign of actual malicious damage. Can someone please explain to me what these guys are doing, how I can check if they have been successful, and how can I ensure they don't do it in the future? I am using the newest fckEditor release, my filemanager is disabled, and the fckEditor tree is in my web root (which I now understand could be a problem from what I have read on here).
This really has got me baffled, so a detailed explanation would be appreciated. I apologise for having to ask and not being able to figure this out from previous posts, and maybe it is the late hour, but I am just unsure of what is actually happening here.
Ash.
Re: Am I being hacked??
ummm you say you have the config ok..
but could you tell me what you do AFTER you get the output of fckeditor i mean do you do like pasteintodb($_GET['fckeditor']);
i hope you understand me im writing umm a bit nonsense cause its 3:15 in poland and i havent slept over 24 hours
Re: Am I being hacked??
Using the execute method of a connection object for the insert, if that helps.
Ash.
Re: Am I being hacked??
then what seems to be the problem cause i dont get it ? xDDD
Re: Am I being hacked??
Re: Am I being hacked??
Message = Replace(request("fckEditor1"),"'","''")
Its very basic, but cuts out the obvious attempts.
I don't get it either to be honest, as I can't find any sign of damage, files being uploaded, or my mdb being attacked, but the messages in the records on my mdb give the impression that the guys doing this have found something and are exploiting it. Some examples are:
Ni hao!
Check this out!
<a href= ></a>,
----------
And some more..
<a href= ></a> *
--------
At last...
<a href= ></a> *
--------
Salaam!
Check this out!
<a href= ></a>,
--------
Watch Them!
<a href= ></a> *
and so on and so on. There are dozens of them, and I just get the feeling I am missing something and that they are using my site for something beyond my understanding of the fckEditor. It is only the field that uses the fckEditor as its source that is displaying these messages, so I don't think it is a random SQL injection attempt. They seem to be targeting fcked, and I don't know enough about it to really know if anything is being abused or not.
Ash.
Re: Am I being hacked??
Re: Am I being hacked??
i think the problem is not a sql inject but an xss inject. i mean you must display those fields somwhere dont you ?
i think ;p;p
what you shhould do if i am right is to clean up the html code before you put it into the DB. i must assure you that thhis is not an issue of fckeditor .
Re: Am I being hacked??
I believe you when you say fckEditor isn't the cause, I just wasn't sure what I was missing in controlling the situation.
Thanks for your help
Re: Am I being hacked??
oh
yeaaa .. so what you should do is clean up the html... i do not know how though , i am a php programmer 
second : put a httaccess file in the filemanager directory if you dont use it
i would suggest you to do a regexp on the html. and let through only the allowed tags and attributes and check that the html syntax is not fuckd up wich is often a effect of xss..
and make a replace of "<script" "javascript:" and ect
Re: Am I being hacked??
and delete all the onmouseover onhover onclick onfocus onload ectectect events
Re: Am I being hacked??
Thanks for the hints. I am already scouring the web for filtering methods for xss injection, and it is much like you are suggesting. I will read and digest this info and make some changes to my asp to counter it.
You have put my mind at rest, and now I know how to deal with it I can happily go and get my 2 hours sleep before I have to get up for my day job
Many thanks.
Re: Am I being hacked??
no problem
bye ;p
Re: Am I being hacked??
//note: i have found a class for filtering html it gote some award from phpclasses... but it is php
Re: Am I being hacked??
Re: Am I being hacked??
If you have left disabled the filemanager you are way ahead of too many other people that enable it and leave it unprotected.
I wouldn't use FCKeditor for a contact form, instead I would use a plain textarea and then when storing the contents posted escape them using server.HTMLencode, that's the safest solution (apart from watching from SQL injections)
And now back to the problem: Are you sure that they are posting empty links?
the behavior that you have described looks like typical spammers that fill out any contact form that they can find with lots of links to their servers hoping that the links will be shown again to the visitors or to the crawling robots, and they are harmless (although a PITA). In order to get ride of them you can try to add some kind of CAPTCHA (including just one text box asking to fill the url of your domain, spam bots won't recognize it and humans are able to copy & paste)
Re: Am I being hacked??
that will not make the site hack-safe. you have to clean up html for xss. period.
Re: Am I being hacked??
oh yea forgot ;p
http://phpclasses.toperz.pl/browse/package/3717.html
http://phpclasses.toperz.pl/browse/package/2189.html
Re: Am I being hacked??
Can you explain how it's possible to achieve an attack if the input has been cleaned with Server.HTMLencode ?
Re: Am I being hacked??
who says it has ???
or any editor come to think of that ....
and if it does then i do not see any point of using fckeditor
Re: Am I being hacked??
Re: Am I being hacked??
Have a look at htmLawed, a highly customizable, 45 kb, single file PHP script to filter/purify HTML. Besides restricting tags/elements, attributes and URL protocols as per your specification, and balancing HTML tags and ensuring valid tag nesting/well-formedness, it also has good anti-XSS and anti-spam measures.