HTML Editor and HTML Injection - site hacked!

One of my PHP sites using the HTML Editor has been hacked twice in the last two weeks. I've changed all of the passwords, and it was still hacked. We're trying to get to the bottom of how it was hacked. My ISP said that there is a known vulnerability with the FCK Editor, version 2.4.3 or earlier. I am using version 2.5.1. build 17566. Have you run into this before?

I've upgraded the editor to 2.6.5. Will this do the trick, or is there still a vulnerability with the version I have now?

detail?vulnId=CVE-2009-2324

What did they do when they hacked the editor? What was the result? What did they inject? Where did it appear? Please provide more information and we can look into it further.

The report you linked to implies that the most recent version, which is used in HTML editor, should not have these vulnerabilities.

First of all, the entire site is CMS-driven - all pages. The first time it happened, they changed page content on the home page with nothing but garbage text and some type of "you've been hacked" statement. All of the content on the other pages had been deleted. I thought they got in through the admin area, so I changed all of the admin passwords by using a password generator, but it doesn't appear that was the problem. The tech support person at my ISP mentioned that he has been seeing quite a few issues with the FCK Editor and hacks recently, and he's thinking it's coming from the editor and they don't even need access to the admin area. This time, the only page that was changed was the home page and they did not change anything else.

It can't be direclty through HTML editor. Did you protect your pages with securityAssist? The CMS content comes from the database right? Power CMS?

They hacked your database, not FCK Editor. They had to get into your admin back end or get direct access to your database to do it.

I'd change my database username / password and make sure you have session level security on all the pages that access the database. Honestly I don't think FCK is the problem in this case.

I am not using Power CMS - I built my own. Yes, I am using security assist and all of the pages use an included header file, which is protected by security assist. I did change all of the admin passwords when this happened two weeks ago, to something that a password generator created. Now I'm really confused because one of the tech support people at my ISP is telling me that he's encountered numerous security issues directly related to FCK Editor.

In my opinion, he is wrong... there is no way to directly hack into your database from FCK Editor. If they changed or deleted images it could be FCK Editor, but you can't get access to the datbase from FCK editor alone. The problem has to be getting into your admin back end or getting into your database directly.

What else do you think I can do to protect this site? I have many other PHP-CMS sites on this server and they have not been touched. I changed all my passwords in all of my sites (databases and admin areas), but someone this one still got hacked. No images uploaded - just text.

Could be SQL injection somewhere... What is the URL? I can take a quick look to see if I can find SQL injection holes...

One thing you can do is create a database user with read-only access and make sure that is the one used on the front end so that SQL injection won't be possible for updating the database anyway.

How old is the site? What version of Dreamweaver did you use to build it? Dreamweaver Recordsets used to have SQL injection vulnerabilities, but those have been fixed for a couple of years now.

Given your explanation I think SQL injection is the most likely candidate.

www.diamondqa.com

I'm still using DW CS3, not 4 - haven't upgraded yet.

The entire site is dynamic, including the menu items. The client can actually build menu items and add content to those menu items through her admin area.

I'm not sure I understand this statement:

One thing you can do is create a database user with read-only access and make sure that is the one used on the front end so that SQL injection won't be possible for updating the database anyway.

Are you talking about when I set up the connection through Dreamweaver?

Thanks, Ray!