Intrusion into Cmsimple 3.1
Re: Intrusion into Cmsimple 3.1
Isn't your problem some sort of my experience mentioned here: http://cmsimpleforum.com/viewtopic.php?f=5&t=930 and here: http://cmsimpleforum.com/viewtopic.php? ... lit=attack ?
Last edited by Tata on Tue Aug 09, 2011 9:41 pm, edited 1 time in total.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.
Re: Intrusion into Cmsimple 3.1
AFAIK there had been only small flaws in older Menumanager versions together with classic CMSimple versions like <hx>..</Hx> -tags,cmb wrote:Hello Beate,
I have no idea. I don't have the old version, so I can't test it. Perhaps somebody else could give a hint?beate_r wrote: Which rises the question how the (old) menumanager behaves in non-XH installations.
nothing important. The only real problems I know came up with pagedata.php.
KR
Holger
Re: Intrusion into Cmsimple 3.1
Hello Holger,
thank you for this clarification.
Christoph
thank you for this clarification.
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Intrusion into Cmsimple 3.1
Hallo Holger,
Aber fürs erste kümmere ich mich mal um das Login, und zwar auf dem Entwicklungssystem.
Beate
Da wir dort ziemlich viel direkt HTML schreiben, meist mit oedit im Source-Modus, können wir natürlich leicht Probleme an dieser Stelle triggern. Was war denn da genauer?Holger wrote: AFAIK there had been only small flaws in older Menumanager versions together with classic CMSimple versions like <hx>..</Hx> -tags,
nothing important.
Aber fürs erste kümmere ich mich mal um das Login, und zwar auf dem Entwicklungssystem.
Beate
Re: Intrusion into Cmsimple 3.1
Ok, i just noticed that the version of menumanager is BETA-1
Really old, isn't it?
Beate
Really old, isn't it?
Beate
Re: Intrusion into Cmsimple 3.1
Hello Beate,
where was this version noted? My version (I've downloaded about 3 months ago, so it should be the newest) states in help.htm: 2009c, in admin.php and preview.htm 2008c.
Christoph
where was this version noted? My version (I've downloaded about 3 months ago, so it should be the newest) states in help.htm: 2009c, in admin.php and preview.htm 2008c.
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Intrusion into Cmsimple 3.1
2006c in help.php
BTW: what do You think about integrating the login code snippet or better a modified version of it into XH ?
it needs a third call to login_allowed() with the logincheck() of the else clause of the 2nd case, doesn't it?
what about storing the interval in the stamp file and taking the time from its directory entry - would allow increase of time with every failed attempt?
Beate
BTW: what do You think about integrating the login code snippet or better a modified version of it into XH ?
it needs a third call to login_allowed() with the logincheck() of the else clause of the 2nd case, doesn't it?
what about storing the interval in the stamp file and taking the time from its directory entry - would allow increase of time with every failed attempt?
Beate
Re: Intrusion into Cmsimple 3.1
Hello Beate,
Christoph
Sounds quite old. But I can't say more about this issue. Perhaps somebody else could?beate_r wrote: 2006c in help.php
Yes, you're right. Thanks for pointing this out. I'll make the changes to the posted code.beate_r wrote: it needs a third call to login_allowed() with the logincheck() of the else clause of the 2nd case, doesn't it?
That's possible, but it might be easier to store both the interval and the timestamp in the file. But you should be careful with increasing the time. If someone tries to hack the site by brute force, a further login might not be able anymore. And if the user gives the wrong password in his first attempt, and is impatient, he might not be able to log in.beate_r wrote: what about storing the interval in the stamp file and taking the time from its directory entry - would allow increase of time with every failed attempt?
Probably the loggin of failed attemps will be included with the next version. And perhaps an even better way to avoid being hacked by brute force or cookie stealing.beate_r wrote: BTW: what do You think about integrating the login code snippet or better a modified version of it into XH ?
Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Re: Intrusion into Cmsimple 3.1
Considering the limited time i have think my strategy is quite clear now: upgrade the menumanger and then wait for XH 1.5 (i'll also need to upgrade the forum and expect a lot of work mainly due to the self modified theme).
Thanks very much for the quick response.
Beate
Thanks very much for the quick response.
Beate
Re: Intrusion into Cmsimple 3.1
Hello Beate,
Christoph
Indeed that might be best.beate_r wrote: my strategy is quite clear now: upgrade the menumanger and then wait for XH 1.5 (i'll also need to upgrade the forum ...)
Christoph
Christoph M. Becker – Plugins for CMSimple_XH