close ad
Install the LAtest Updates to Work with CC 2017 and CC 2018
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Are there any issues related to security for DataAssist?

Thread began 5/01/2017 12:45 pm by webdesignerwags | Last modified 5/02/2017 2:34 pm by Ray Borduin | 335 views | 11 replies |

webdesignerwags

Are there any issues related to security for DataAssist?

I had a website hacked early April. I suspect the vulnerability was in my registration form made with DataAssist. Is there an update I should be aware of? Thank you.

Sign in to reply to this post

Ray BorduinWebAssist

There are no known vulnerabilities in the DataAssist code itself. That doesn't mean you couldn't create a web page that is vulnerable though particularly if you are hand coding to make changes and updates after application.

If you track down the source of the vulnerability we would certainly be interested if it did happen in the DataAssist code, but I'm not aware of anything like that.

The first place to look would be in your use of File upload and HTML Editor fields with file management. Any time you give your users the ability to upload files to your web server it has the potential for misuse.

Sign in to reply to this post

webdesignerwags

Thank you Ray. I do have the option for the new member to upload a photo. Often the members don't upload a photo anyway so I could eliminate that field and have them email it to me.

How can I track down the source of the vulnerability. I talked to HostGator and was told they couldn't tell me how the hacker entered the site. I thought they should be able to tell that. Do you think I should ask again or is there some other way I can determine this?

This is the first time (as far as I can remember) that I've had a site hacked in 17 years of making websites. It was a minor hack and I had the pages removed and site fixed in about 10 minutes. I just don't know a lot about hackers and how they gain access because I haven't had to deal with it. A very good thing!

Sign in to reply to this post

Ray BorduinWebAssist

Make sure you have restrictions that only allow images to be uploaded. If you have an upload field that doesn't have "images only" checked it can be used to upload malicious files. Another way to prevent abuse is to have files uploaded to a folder outside of the web root. That way they can't access or run files that have been uploaded.

Were malicious files places in the upload folder where the member images are uploaded to? If so, that is the likely source of the vulnerability.

You have to figure out what happened to work backwards and figure out how it could have happened. If pages were added to your site then file uploads is a likely way they got in. Look a the folder where the files were added and that might be able to help you track it down. If they are in a new folder they were likely spawned from a file in another location, so you have to find that file. Hackers don't usually clean up after themselves, so there will probably be a trail to the original vulnerability you can track down and seal off.

Sign in to reply to this post

webdesignerwags

ok - this make sense. HostGator sent me an email 2 weeks after the hacking. In the email they mentioned index.php in the MemberPhotos folder. All that is in that folder normally would be images. There should never be any pages. I deleted the other pages immediately - pages like the home page. They had uploaded one of those black pages with the ugly guy telling us we've been hacked. And I could see on the server anything else that had been changed by the date/time. So I just deleted and put back my good pages from my local files.

I hadn't noticed anything in the MemberPhotos folder and I don't remember if I found index.php there after HG emailed me.

I don't change your code. I can usually figure out what is happening with the code but beyond that, I don't know enough about PHP to make changes. This has all been working fine for 3-4 years now. I did have trouble with spammers on the registration from but then changed the name so it's harder to guess and we've been fine. The reg page is not visible on the website. The new member has to join, pay through paypal and then they are taken back to the registration page. So that makes me wonder more how the hacker found the reg page and how they got into my site to make changes to other pages.

I'm going to paste the bit of code that is probably what I need to make sure is correct - to not allow anything but images. Please tell me if I should change any of this. Thank you!
<?php
// WA_UploadResult1 Params Start
$WA_UploadResult1_Params = array();
// WA_UploadResult1_1 Start
$WA_UploadResult1_Params["WA_UploadResult1_1"] = array(
'UploadFolder' => "MemberPhotos",
'FileName' => "[FileName]",
'DefaultFileName' => "",
'ResizeType' => "0",
'ResizeWidth' => "0",
'ResizeHeight' => "0",
'ResizeFillColor' => "" );
// WA_UploadResult1_1 End
// WA_UploadResult1 Params End
?>
<?php
WA_DFP_SetupUploadStatusStruct("WA_UploadResult1");
if(isset($_POST["Insert"]) || isset($_POST["Insert_x"])){
WA_DFP_UploadFiles("WA_UploadResult1", "photo", "0", "", "false", $WA_UploadResult1_Params);
}
?>

Sign in to reply to this post

Ray BorduinWebAssist

That is the problem... you have:
WA_DFP_UploadFiles("WA_UploadResult1", "photo", "0", "", "false", $WA_UploadResult1_Params);

The "false" part is the setting to restrict the upload to images only. If you change that to:
WA_DFP_UploadFiles("WA_UploadResult1", "photo", "0", "", "true", $WA_UploadResult1_Params);

That would likely fix the security hole. File upload for anything but images should only be done by admin, so not having that restriction on an upload file field is an inherent risk particularly if they know the name of the folder it is being uploaded to, which they could tell by viewing the source of a displayed image.

Change it to:
WA_DFP_UploadFiles("WA_UploadResult1", "photo", "0", "", "true", $WA_UploadResult1_Params);

Sign in to reply to this post

Ray BorduinWebAssist

Also dig through the member photos folder to make sure they didn't leave anything behind they could use to get back in.

Sign in to reply to this post

webdesignerwags

Thank you very much Ray. I changed to true. I had already gone through the Photos folder and I'm sure there was some garbage in there from them. All my member photos have the same naming convention because I rename them when new members submit. They submit images with the dumbest names and the most outrageous sizes. I usually end up downloading, fixing, renaming and re-uploading. But I will go back and double check to make sure the hacker didn't catch on to my naming convention and upload something that I wouldn't notice.

So, do you suppose this was just some hacking software that happened upon our site? Does this software just roam around the web searching out vulnerabilities? Do you think I should have further concerns? It's been a month and I haven't had trouble with any other sites.
Thank you again. I really appreciate your help.

Sign in to reply to this post

Ray BorduinWebAssist

It is impossible to say how someone happened to find it or if it was a bot. Someone noticed you had an upload and then found they could upload anything, and they took advantage of that security hole. I don't think you should have other concerns because of this, but if you have file upload fields on sites this is a potential concern.

Sign in to reply to this post

webdesignerwags

So once the hacker got access to the Photos folder, he could then get access to the root so he could change my home page? I told you I don't know much about how hacking works. :)

I could probably come up with questions all day but I promise I will stop now. I've taken up enough of your time. I'll definitely look over my other sites but I'm pretty sure I don't have any other uploads.

Thank you again for all your help and expertise. Very much appreciated.
Have a great day!

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...