Are there any issues related to security for DataAssist?
I had a website hacked early April. I suspect the vulnerability was in my registration form made with DataAssist. Is there an update I should be aware of? Thank you.
I had a website hacked early April. I suspect the vulnerability was in my registration form made with DataAssist. Is there an update I should be aware of? Thank you.
There are no known vulnerabilities in the DataAssist code itself. That doesn't mean you couldn't create a web page that is vulnerable though particularly if you are hand coding to make changes and updates after application.
If you track down the source of the vulnerability we would certainly be interested if it did happen in the DataAssist code, but I'm not aware of anything like that.
The first place to look would be in your use of File upload and HTML Editor fields with file management. Any time you give your users the ability to upload files to your web server it has the potential for misuse.
Thank you Ray. I do have the option for the new member to upload a photo. Often the members don't upload a photo anyway so I could eliminate that field and have them email it to me.
How can I track down the source of the vulnerability. I talked to HostGator and was told they couldn't tell me how the hacker entered the site. I thought they should be able to tell that. Do you think I should ask again or is there some other way I can determine this?
This is the first time (as far as I can remember) that I've had a site hacked in 17 years of making websites. It was a minor hack and I had the pages removed and site fixed in about 10 minutes. I just don't know a lot about hackers and how they gain access because I haven't had to deal with it. A very good thing!
Make sure you have restrictions that only allow images to be uploaded. If you have an upload field that doesn't have "images only" checked it can be used to upload malicious files. Another way to prevent abuse is to have files uploaded to a folder outside of the web root. That way they can't access or run files that have been uploaded.
Were malicious files places in the upload folder where the member images are uploaded to? If so, that is the likely source of the vulnerability.
You have to figure out what happened to work backwards and figure out how it could have happened. If pages were added to your site then file uploads is a likely way they got in. Look a the folder where the files were added and that might be able to help you track it down. If they are in a new folder they were likely spawned from a file in another location, so you have to find that file. Hackers don't usually clean up after themselves, so there will probably be a trail to the original vulnerability you can track down and seal off.
ok - this make sense. HostGator sent me an email 2 weeks after the hacking. In the email they mentioned index.php in the MemberPhotos folder. All that is in that folder normally would be images. There should never be any pages. I deleted the other pages immediately - pages like the home page. They had uploaded one of those black pages with the ugly guy telling us we've been hacked. And I could see on the server anything else that had been changed by the date/time. So I just deleted and put back my good pages from my local files.
I hadn't noticed anything in the MemberPhotos folder and I don't remember if I found index.php there after HG emailed me.
I don't change your code. I can usually figure out what is happening with the code but beyond that, I don't know enough about PHP to make changes. This has all been working fine for 3-4 years now. I did have trouble with spammers on the registration from but then changed the name so it's harder to guess and we've been fine. The reg page is not visible on the website. The new member has to join, pay through paypal and then they are taken back to the registration page. So that makes me wonder more how the hacker found the reg page and how they got into my site to make changes to other pages.
I'm going to paste the bit of code that is probably what I need to make sure is correct - to not allow anything but images. Please tell me if I should change any of this. Thank you!
<?php
// WA_UploadResult1 Params Start
$WA_UploadResult1_Params = array();
// WA_UploadResult1_1 Start
$WA_UploadResult1_Params["WA_UploadResult1_1"] = array(
'UploadFolder' => "MemberPhotos",
'FileName' => "[FileName]",
'DefaultFileName' => "",
'ResizeType' => "0",
'ResizeWidth' => "0",
'ResizeHeight' => "0",
'ResizeFillColor' => "" );
// WA_UploadResult1_1 End
// WA_UploadResult1 Params End
?>
<?php
WA_DFP_SetupUploadStatusStruct("WA_UploadResult1");
if(isset($_POST["Insert"]) || isset($_POST["Insert_x"])){
WA_DFP_UploadFiles("WA_UploadResult1", "photo", "0", "", "false", $WA_UploadResult1_Params);
}
?>
That is the problem... you have:
WA_DFP_UploadFiles("WA_UploadResult1", "photo", "0", "", "false", $WA_UploadResult1_Params);
The "false" part is the setting to restrict the upload to images only. If you change that to:
WA_DFP_UploadFiles("WA_UploadResult1", "photo", "0", "", "true", $WA_UploadResult1_Params);
That would likely fix the security hole. File upload for anything but images should only be done by admin, so not having that restriction on an upload file field is an inherent risk particularly if they know the name of the folder it is being uploaded to, which they could tell by viewing the source of a displayed image.
Change it to:
WA_DFP_UploadFiles("WA_UploadResult1", "photo", "0", "", "true", $WA_UploadResult1_Params);
Also dig through the member photos folder to make sure they didn't leave anything behind they could use to get back in.
Thank you very much Ray. I changed to true. I had already gone through the Photos folder and I'm sure there was some garbage in there from them. All my member photos have the same naming convention because I rename them when new members submit. They submit images with the dumbest names and the most outrageous sizes. I usually end up downloading, fixing, renaming and re-uploading. But I will go back and double check to make sure the hacker didn't catch on to my naming convention and upload something that I wouldn't notice.
So, do you suppose this was just some hacking software that happened upon our site? Does this software just roam around the web searching out vulnerabilities? Do you think I should have further concerns? It's been a month and I haven't had trouble with any other sites.
Thank you again. I really appreciate your help.
It is impossible to say how someone happened to find it or if it was a bot. Someone noticed you had an upload and then found they could upload anything, and they took advantage of that security hole. I don't think you should have other concerns because of this, but if you have file upload fields on sites this is a potential concern.
So once the hacker got access to the Photos folder, he could then get access to the root so he could change my home page? I told you I don't know much about how hacking works. :)
I could probably come up with questions all day but I promise I will stop now. I've taken up enough of your time. I'll definitely look over my other sites but I'm pretty sure I don't have any other uploads.
Thank you again for all your help and expertise. Very much appreciated.
Have a great day!
Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.
These out-of-the-box solutions provide you proven, tested applications that can be up and running now. Build a store, a gallery, or a web-based email solution.