Elxis CMS Forum
Support => Security => Topic started by: datahell on December 29, 2008, 20:59:36
-
Elxis Defender blocked a couple of attacks to IOS Newsletter component. I immediately searched the component for security holes but I discovered that the attack was for a joomla's component with the same name! The 2 components have nothing common, so there is nothing to worry about. I just inform people using IOS Newsletter component that if you get a similar attack, dont worry the attack is addressed to joomla's web sites. Elxis' IOS Newsletter is absolutely secure. Joomla's Newsletter component is vulnerable to SQL injection attacks.
Here is the requested URI as caught by Elxis Defender:
index.php?option=com_newsletter&Itemid=-1&listid=-1 union select 1,concat(0x40,username,0x40,password,0x40) from #__users where gid=25/*
The above URL can not harm Elxis or IOS Newletter.
-
but I discovered that the attack was for a joomla's component with the same name!
a newsletter component for Joomla, with the same name !!?!!?!! :o
Edit: Got an attack logged also, on one of my client's site.
Requested URI: /com_newsletter/index.php?option=com_newsletter&Itemid=-1&listid=-1 union select 1,concat(0x40,username,0x40,password,0x40) from #__users where gid=25/*
-
The "listid" parameter in the URL does not exist in IOS Newsletter.
How hackers attack:
When a vulnerability is discovered hackers seach Google for sites having in URL a characteristic word inorder to find vulnerable sites. In this case they could search for inurl:com_newsletter or using the "allinurl"
They create a list of sites that match google's search results and begin to attack using a pre-made script.
So, to gether with the joomla's sites they also find Elxis sites from Google having "com_newsletter" in the url. But IOS Newsletter is absolutely secure. Do not worry.
I must say once more:
1. Always update your sites to the latest Elxis version.
2. Enable Elxis Defender and set some good filters.
3. Enable SEO PRO.
-
How attackers attacks:
When a vulnerability is discovered hackers seach Google of sites having in URL a characteristic word inorder to find vulnerable sites. In this case they could search for inurl:com_newsletter or using the "allinurl"
This is Dork ... Like Google Dork (inurl: ...)
I must say once more:
1. Always update your sites to the latest Elxis version.
2. Enable Elxis Defender and set some good filters.
3. Enable SEO PRO.
And also consider to your server security and choosing a good secured server :)
-
I must say once more:
1. Always update your sites to the latest Elxis version.
2. Enable Elxis Defender and set some good filters.
3. Enable SEO PRO.
it is time to ask... i wanted to ask this question from months but always forgetting to do..
now it is time...
1-what other possible filters (except the example-filters in defender page) can we add and for what purpose in each case?
2-example-filters in defender page with red color supposed to be the most necessary.... if i guess right! are they?
are they any other filters not listed there... i mean filters that block well-known ways(in url) of attack? ....it is sure that they are a lot of ways that someone can use to attack... is there a resource to give us more info?
-
There are 2 kind of attacks: attempts to modify configuration options (XSS) and sql injections.
Most of the first ones are intercepted easily with a simple "mosconfig" filter. You should also make sure that allow_url_fopen is disabled in your php. The only problem with this filter is that you have to temporary disable defender if you wish to modify elxis configuration elsewhere you will be banned from your site!
SQL injection attacks are harder to defence against as hackers can use many variations of sql commands and is harder to block all of them. For instance if we have set filter "union select" a hacker may use "union/**/ select" to bypass our filter. Also many attacks use hex to bypass blocking mechanisms. So, it is absolutely needed the software we use to be as secure as possible in order even if an attack manage to pass to the inner script to not be able to harm it.
To find good filters study the way hackers attacks. If you search the internet you will find lot of exploits. Use key words from these exploits as Defender filters. The sample filters Defender has are all used in real attacks and thay are good but you can also use other.
-
Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 58.241.255.38 (blocked)
Requested URI: /com_downloads/index.php?option=com_newsletter&Itemid=-1&listid=-1 union select 1,concat(0x40,username,0x40,password,0x40) from #__users where gid=25/*
DATE: 11-02-2009 22:04:47
Attack was logged
-
Don't worry. We have refer to this before. The attack is addressed to a mambo's component with the same name (but with nothing more in common). You can see this from the URL, it says "listid" which does not exist in IOS Newsletter. IOS Newsletter is absolutely secure :)