sometimes one awakens when an important site is hacked...
... google shows a lot of hacks from somebody from turkey. This demonstrates that there is at least two exploits for CMSIMPLE.
Up to now i have found the following which is is described *here*:
Edit by Holger:
Thanks for your help and your first-aid solution!
But please, do not quote exploits or link to sites with exploits in this forum. We won't fill googles index with such stuff.
/Holger
As a first aid protection one might consider blocking access to URLs containing the argument "sl=" on the webserver. In nginx, an appropriate rewrite rule might look like this:
Code: Select all
location / {
root /var/www/example.com;
index index.html;
fastcgi_index index.php;
if ( $args ~ "sl=" ) {
return 403;
}
include /etc/nginx/fastcgi_params;
In apache, this should probably be done within an appropriate .htaccess.
I have not tested it for possible side effects except that page editing and downloads of regular content through the cms still works.
This should be taken as a first aid only, until a real fix is available
Beate