Intrusion into Cmsimple 3.1

A place for security related announcements and discussions - please check this forum frequently!
Tata
Posts: 2747
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: Intrusion into Cmsimple 3.1

Post by Tata » Tue Aug 09, 2011 3:38 pm

Isn't your problem some sort of my experience mentioned here: http://cmsimpleforum.com/viewtopic.php?f=5&t=930 and here: http://cmsimpleforum.com/viewtopic.php? ... lit=attack ?
Last edited by Tata on Tue Aug 09, 2011 9:41 pm, edited 1 time in total.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

Holger
Site Admin
Posts: 2876
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany
Contact:

Re: Intrusion into Cmsimple 3.1

Post by Holger » Tue Aug 09, 2011 8:20 pm

cmb wrote:Hello Beate,
beate_r wrote: Which rises the question how the (old) menumanager behaves in non-XH installations.
I have no idea. I don't have the old version, so I can't test it. Perhaps somebody else could give a hint?
AFAIK there had been only small flaws in older Menumanager versions together with classic CMSimple versions like <hx>..</Hx> -tags,
nothing important. The only real problems I know came up with pagedata.php.

KR
Holger

cmb
Posts: 12718
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Intrusion into Cmsimple 3.1

Post by cmb » Tue Aug 09, 2011 10:13 pm

Hello Holger,

thank you for this clarification. :)

Christoph
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

beate_r
Posts: 171
Joined: Thu May 22, 2008 11:44 pm
Location: Hessen / Germany

Re: Intrusion into Cmsimple 3.1

Post by beate_r » Wed Aug 10, 2011 10:41 am

Hallo Holger,
Holger wrote: AFAIK there had been only small flaws in older Menumanager versions together with classic CMSimple versions like <hx>..</Hx> -tags,
nothing important.
Da wir dort ziemlich viel direkt HTML schreiben, meist mit oedit im Source-Modus, können wir natürlich leicht Probleme an dieser Stelle triggern. Was war denn da genauer?

Aber fürs erste kümmere ich mich mal um das Login, und zwar auf dem Entwicklungssystem.

Beate

beate_r
Posts: 171
Joined: Thu May 22, 2008 11:44 pm
Location: Hessen / Germany

Re: Intrusion into Cmsimple 3.1

Post by beate_r » Wed Aug 10, 2011 12:49 pm

Ok, i just noticed that the version of menumanager is BETA-1
Really old, isn't it?

Beate

cmb
Posts: 12718
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Intrusion into Cmsimple 3.1

Post by cmb » Wed Aug 10, 2011 12:56 pm

Hello Beate,

where was this version noted? My version (I've downloaded about 3 months ago, so it should be the newest) states in help.htm: 2009c, in admin.php and preview.htm 2008c. :?

Christoph
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

beate_r
Posts: 171
Joined: Thu May 22, 2008 11:44 pm
Location: Hessen / Germany

Re: Intrusion into Cmsimple 3.1

Post by beate_r » Wed Aug 10, 2011 1:18 pm

2006c in help.php

BTW: what do You think about integrating the login code snippet or better a modified version of it into XH ?

it needs a third call to login_allowed() with the logincheck() of the else clause of the 2nd case, doesn't it?
what about storing the interval in the stamp file and taking the time from its directory entry - would allow increase of time with every failed attempt?


Beate

cmb
Posts: 12718
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Intrusion into Cmsimple 3.1

Post by cmb » Wed Aug 10, 2011 1:45 pm

Hello Beate,
beate_r wrote: 2006c in help.php
Sounds quite old. But I can't say more about this issue. Perhaps somebody else could?
beate_r wrote: it needs a third call to login_allowed() with the logincheck() of the else clause of the 2nd case, doesn't it?
Yes, you're right. Thanks for pointing this out. I'll make the changes to the posted code.
beate_r wrote: what about storing the interval in the stamp file and taking the time from its directory entry - would allow increase of time with every failed attempt?
That's possible, but it might be easier to store both the interval and the timestamp in the file. But you should be careful with increasing the time. If someone tries to hack the site by brute force, a further login might not be able anymore. And if the user gives the wrong password in his first attempt, and is impatient, he might not be able to log in.
beate_r wrote: BTW: what do You think about integrating the login code snippet or better a modified version of it into XH ?
Probably the loggin of failed attemps will be included with the next version. And perhaps an even better way to avoid being hacked by brute force or cookie stealing.

Christoph
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

beate_r
Posts: 171
Joined: Thu May 22, 2008 11:44 pm
Location: Hessen / Germany

Re: Intrusion into Cmsimple 3.1

Post by beate_r » Thu Aug 11, 2011 11:43 am

Considering the limited time i have think my strategy is quite clear now: upgrade the menumanger and then wait for XH 1.5 (i'll also need to upgrade the forum and expect a lot of work mainly due to the self modified theme).

Thanks very much for the quick response.

Beate

cmb
Posts: 12718
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Intrusion into Cmsimple 3.1

Post by cmb » Thu Aug 11, 2011 11:54 am

Hello Beate,
beate_r wrote: my strategy is quite clear now: upgrade the menumanger and then wait for XH 1.5 (i'll also need to upgrade the forum ...)
Indeed that might be best.

Christoph
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Post Reply