CKEditor 4
Thu, 11/15/2007 - 21:32
#1
run4it
run4it's picture
Joined: 13/11/2007
Posts: 10

site hacked two days after installing editor

Hi Joomla site was hacked last night. The site has been up since last May without any problems. I installed JoomlaFCKEditor 2.4.4 two days ago. Are there any known vulnerabilities with the editor that may have caused this? The hacker put up their index page and apparently changed my Admin username/password in the DB. I'm working on that issue right now. Though I've got my site back up, I can't get into the Admin back end. I am thinking it might be too dangerous to reinstall the editor.
Top
Thu, 11/15/2007 - 23:53
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3735

Re: site hacked two days after installing editor

That mambot doesn't have any kind of protection and it was just a matter of time that people started using it to try attacks. It's a big shame that despite having filed a bug about it over two months ago they still haven't fixed it.

the joomlafck2 on the other side uses an updated version of FCKeditor and ships (according to their docs) with the logical restrictions on file uploads.

Anyway, the problem is not the editor itself (it's shipped with all the connectors disabled), but just the joomla integration that doesn't have the minimal security measures and have unconditionally enabled the connector. Everybody should know it to avoid that mambot if it can become a vector attack.

Top
Fri, 11/16/2007 - 17:47
run4it
run4it's picture
Joined: 13/11/2007
Posts: 10

Re: site hacked two days after installing editor

I'd like to clarify my circumstance to see if it makes any difference in where the vulnerability is in my site that allowed it to be hacked. Only authenticated front end authors/editors have access to JoomlaFCKEditor on my site. Does this imply that the hacker got past my authentication process in order to exploit a potential vulnerability in the editor? could the real problem actually lie with the the authentication? Weak username/passwords and such? I admit they were weak.
Top
Fri, 11/16/2007 - 17:51
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3735

Re: site hacked two days after installing editor

The weak point in that Joomla integration is that it could allow anyone to upload files without any authentication, but if you protected with .htaccess the whole FCKeditor folder then it should be safe.

And anyway, uploading files would mean just that, they could allow files to your server, but in order to get control they must be using some other hole in other part of the system.
Top
Fri, 11/16/2007 - 18:08
run4it
run4it's picture
Joined: 13/11/2007
Posts: 10

Re: site hacked two days after installing editor

How do they get to the editor if they aren't authenticated? I mean, how do they even know it's on my site?
Please explain the .htaccess file in the editor folder. I mean, I have an .htaccess file one level above the root of my site. Isn't that enough?
Top
Fri, 11/16/2007 - 18:21
alfonsoml
alfonsoml's picture
Joined: 31/12/2006
Posts: 3735

Re: site hacked two days after installing editor

run4it wrote:How do they get to the editor if they aren't authenticated? I mean, how do they even know it's on my site?

They just ask the server if several files that they know have weak points exists on your server. If one success, they know that you have installed that piece of software.
Check your server logs for the error 404 and you'll see that they scan lots of things.

run4it wrote:
Please explain the .htaccess file in the editor folder. I mean, I have an .htaccess file one level above the root of my site. Isn't that enough?

if it's above the root then probably it isn't configured to protect the content, you need to restrict the access to any file under the fckeditor folder. this should help you: http://www.htaccesstools.com/htaccess-authentication/ (or do a google search, i'm not an apache expert)

Top
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check