close ad
WARNING: Do Not Install the DREAMWEAVER CC 2017 or 2018 Update »
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Any knowledge of hacking issues?

Thread began 6/12/2015 11:34 am by webdesignerwags | Last modified 8/27/2015 5:25 pm by Ray Borduin | 3718 views | 49 replies |

webdesignerwags

Any knowledge of hacking issues?

Hi,
One of my sites was hacked yesterday. I've never had this happen before. The path that was given is my CMS folder. The hacker is Himanshu Dhiraj Mishra - supposedly an ethical hacker. I don't understand his purpose.

I just want to know if there is a security issue and I missed a fix for it. Also any info about this guy and why he does this.

I've never had a site hacked before and this wasn't exactly how I was planning to spend this day!

Thank you for any info you can provide. I'm working on re-establishing the site on another server but I want to make sure this won't happen again. I have much better things to do with my days.

The site is townmarshfield.com

Thank you,
Laura

Thought I'd add a screenshot of the guy posting about this on Google+. It was nice of the other guy to let me know.

Attached Files
hacker.docx
Sign in to reply to this post

Ray BorduinWebAssist

Are you using an old version of powerCMS? If you provide FTP information to your site I can see if I can find the security hole. We did have issues years in the past that we have since corrected, so if you have older files on your site that could be it.

Sign in to reply to this post

webdesignerwags

It could very well be old Ray. It's been out there quite some time.

Sign in to reply to this post

Ray BorduinWebAssist

Yes, it is very old and has the known security hole.

It looks like the html editor file upload doesn't even work on your version of php. I'm deleting the files that have the hole, but the issue is that since someone found it, they may have uploaded a file that has another hole... but it doesn't look like he did.

Really you should use the latest version of Data Bridge to update all of your HTMLeditor instances to the most recent version. I've removed all file upload capability from the version you have installed to close any potential security holes. Using the latest version would allow you to re-implement file upload capability without security concerns.

Sign in to reply to this post

webdesignerwags

How do I know which sites have updated files and which don't? I know my later sites are using the newer DataBridge but not sure about my older sites. I don't know if they got upgraded or not. I deleted about 500 files from the Files folder this morning. I'm pretty sure I got everything that shouldn't have been in that folder. Anything else I need to do to guard against this because he may find my other sites that are using CMS. Thank you.

Sign in to reply to this post

Ray BorduinWebAssist

If the site has a /HTMLEditor/ then it is using the older version of HTMLEditor and could have a security issue. The safest bet is to delete that folder and re-apply any rich text editing fields using Data Bridge, or get Design Extender and update your entire CMS system to get it up to date and it won't use that folder any more.

Sign in to reply to this post

Steve

So you are saying IF there is an HTMLEditor folder in the ROOT directory of your site it contains non secure elements?

I'm getting errors from a new update to PHP 5.6.11 when error reporting is in place. Does the Power CMS support MySQLi? This seems quite important.

Sign in to reply to this post

Ray BorduinWebAssist

We have not updated PowerCMS to use MySQLi yet. We will be doing that update in the next major Design Extender release. It shouldn't error, it should just have "warnings" that can be turned off.

Realistically standard MySQL will continue to work for the next 5 years or so, and we will have an easy upgrade for existing sites ready much before then.

Sign in to reply to this post

webdesignerwags

I'm finally getting back to this. I know I have other sites with HTML editor. I need to get this fixed.
I have DataBridge. How do I change my sites w/o messing up the whole CMS? I was going to figure this out on my own but I know how that will go. When I have it totally messed up I will still need to ask for help and then it will take me 3 extra days to get it fixed. So I decided to go against my natural instincts and ask for help first. Can you just give me a few steps that I need to take to replace the old with the new?
Thank you so much!
Laura

Sign in to reply to this post

Ray BorduinWebAssist

Why don't we do the first one together and then you can follow the same steps. What is a good US phone number or Skype contact information to reach you? I'll put it in my calendar for Friday and we can do screen sharing and go through it together so that there aren't any issues.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...