Hi Joomla site was hacked last night. The site has been up since last May without any problems. I installed JoomlaFCKEditor 2.4.4 two days ago. Are there any known vulnerabilities with the editor that may have caused this? The hacker put up their index page and apparently changed my Admin username/password in the DB. I'm working on that issue right now. Though I've got my site back up, I can't get into the Admin back end. I am thinking it might be too dangerous to reinstall the editor.
Thu, 11/15/2007 - 21:32
#1
Re: site hacked two days after installing editor
That mambot doesn't have any kind of protection and it was just a matter of time that people started using it to try attacks. It's a big shame that despite having filed a bug about it over two months ago they still haven't fixed it.
the joomlafck2 on the other side uses an updated version of FCKeditor and ships (according to their docs) with the logical restrictions on file uploads.
Anyway, the problem is not the editor itself (it's shipped with all the connectors disabled), but just the joomla integration that doesn't have the minimal security measures and have unconditionally enabled the connector. Everybody should know it to avoid that mambot if it can become a vector attack.
Re: site hacked two days after installing editor
Re: site hacked two days after installing editor
And anyway, uploading files would mean just that, they could allow files to your server, but in order to get control they must be using some other hole in other part of the system.
Re: site hacked two days after installing editor
Please explain the .htaccess file in the editor folder. I mean, I have an .htaccess file one level above the root of my site. Isn't that enough?
Re: site hacked two days after installing editor
They just ask the server if several files that they know have weak points exists on your server. If one success, they know that you have installed that piece of software.
Check your server logs for the error 404 and you'll see that they scan lots of things.
if it's above the root then probably it isn't configured to protect the content, you need to restrict the access to any file under the fckeditor folder. this should help you: http://www.htaccesstools.com/htaccess-authentication/ (or do a google search, i'm not an apache expert)