close ad
Help us test the new Databridge BETA with MySQLi support
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

HTML Editor and HTML Injection - site hacked!

Thread began 11/17/2009 4:34 pm by sandy170299 | Last modified 11/18/2009 1:27 pm by sandy170299 | 5987 views | 15 replies |

sandy170299

HTML Editor and HTML Injection - site hacked!

One of my PHP sites using the HTML Editor has been hacked twice in the last two weeks. I've changed all of the passwords, and it was still hacked. We're trying to get to the bottom of how it was hacked. My ISP said that there is a known vulnerability with the FCK Editor, version 2.4.3 or earlier. I am using version 2.5.1. build 17566. Have you run into this before?

Sign in to reply to this post

sandy170299

I've upgraded the editor to 2.6.5. Will this do the trick, or is there still a vulnerability with the version I have now?

detail?vulnId=CVE-2009-2324

Sign in to reply to this post

Ray BorduinWebAssist

What did they do when they hacked the editor? What was the result? What did they inject? Where did it appear? Please provide more information and we can look into it further.

The report you linked to implies that the most recent version, which is used in HTML editor, should not have these vulnerabilities.

Sign in to reply to this post

sandy170299

First of all, the entire site is CMS-driven - all pages. The first time it happened, they changed page content on the home page with nothing but garbage text and some type of "you've been hacked" statement. All of the content on the other pages had been deleted. I thought they got in through the admin area, so I changed all of the admin passwords by using a password generator, but it doesn't appear that was the problem. The tech support person at my ISP mentioned that he has been seeing quite a few issues with the FCK Editor and hacks recently, and he's thinking it's coming from the editor and they don't even need access to the admin area. This time, the only page that was changed was the home page and they did not change anything else.

Sign in to reply to this post

Ray BorduinWebAssist

It can't be direclty through HTML editor. Did you protect your pages with securityAssist? The CMS content comes from the database right? Power CMS?

They hacked your database, not FCK Editor. They had to get into your admin back end or get direct access to your database to do it.

I'd change my database username / password and make sure you have session level security on all the pages that access the database. Honestly I don't think FCK is the problem in this case.

Sign in to reply to this post

sandy170299

I am not using Power CMS - I built my own. Yes, I am using security assist and all of the pages use an included header file, which is protected by security assist. I did change all of the admin passwords when this happened two weeks ago, to something that a password generator created. Now I'm really confused because one of the tech support people at my ISP is telling me that he's encountered numerous security issues directly related to FCK Editor.

Sign in to reply to this post

Ray BorduinWebAssist

In my opinion, he is wrong... there is no way to directly hack into your database from FCK Editor. If they changed or deleted images it could be FCK Editor, but you can't get access to the datbase from FCK editor alone. The problem has to be getting into your admin back end or getting into your database directly.

Sign in to reply to this post

sandy170299

What else do you think I can do to protect this site? I have many other PHP-CMS sites on this server and they have not been touched. I changed all my passwords in all of my sites (databases and admin areas), but someone this one still got hacked. No images uploaded - just text.

Sign in to reply to this post

Ray BorduinWebAssist

Could be SQL injection somewhere... What is the URL? I can take a quick look to see if I can find SQL injection holes...

One thing you can do is create a database user with read-only access and make sure that is the one used on the front end so that SQL injection won't be possible for updating the database anyway.

How old is the site? What version of Dreamweaver did you use to build it? Dreamweaver Recordsets used to have SQL injection vulnerabilities, but those have been fixed for a couple of years now.

Given your explanation I think SQL injection is the most likely candidate.

Sign in to reply to this post

sandy170299

www.diamondqa.com

I'm still using DW CS3, not 4 - haven't upgraded yet.

The entire site is dynamic, including the menu items. The client can actually build menu items and add content to those menu items through her admin area.

I'm not sure I understand this statement:

One thing you can do is create a database user with read-only access and make sure that is the one used on the front end so that SQL injection won't be possible for updating the database anyway.

Are you talking about when I set up the connection through Dreamweaver?

Thanks, Ray!

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...