[geeklog-devel] security issue editor(s)

Wim Niemans niemans at nlbox.com
Sat May 17 11:28:35 EDT 2014 

> The downside of using popular open source code for different features is you will get bots looking for security holes.  I get tons of bots hitting my site looking for specific wordpress and joomla files.

Quite interesting. I’m running GL now for more than 10 years, and my new site gains about 1Gb/month access without a clear clue why.
I’m blocking any IP that tries to login more than 1 time in a second. My Apache log is now containing nearly exclusive the access denied apache message.
And this makes me wonder. I run several sites, and this one is the only one with heavy hacker access. Since 10 years. It’s also the only one running GL 2.
I have 2 thoughts on this:
[1]: there must be something resident in GL that attracts hackers and thelike. Maybe it is just the published access log?
[2]: this type of access would be useful to earn some money, f.i. with Ad words on these specific spots and registration pages. 

>  One feature request to maybe make things more secure is that we could allow only so many requests by an ip to a feature they don’t have access to before it is blocked for a period of time. The problem with this is we could also end up blocking Googlebot etc.. by accident (when they try to access stuff they shouldn’t)


Well, if GoogleBot tries to login, it should be blocked immediately, don’t you agree?
And….all these accesses to non-authorised places could be equipped with targeted ad’s. Isn’t that a great way to exploit hacking?

I see a lot of login/registration spoofing with disposable email addresses (lives 30 mins).
And I think the easy way to avoid these spammer logins/registrations would be setting a cookie with a one time token. That cookie exists as long as the new user needs to come again after receiving the confirmation email. Which means that next access is only granted when the site is visited again with the very same browser instance.

Wim

On 17 May 2014, at 16:52, Tom <websitemaster at cogeco.net> wrote:

> I believe it was Dengen who integrated the CKEditor so hopefully he will provide a more in-depth answer.
>  
> I have never really taken a good look at the editor code but pre Geeklog 2.0.0 the FCKEditor files were always accessible by anyone who knew the exact url (just like now).
>  
> I assume that the authors of the editor software have taken this into account and provided the necessary security measures.
>  
> For the file manager / editor php files that tie in with Geeklog, they either do not allow direct access or have Geeklog’s security in place to make sure the user has access to the feature. This is the same type of security used to access our admin interface etc…
>  
> The downside of using popular open source code for different features is you will get bots looking for security holes.  I get tons of bots hitting my site looking for specific wordpress and joomla files.
>  
> One feature request to maybe make things more secure is that we could allow only so many requests by an ip to a feature they don’t have access to before it is blocked for a period of time. The problem with this is we could also end up blocking Googlebot etc.. by accident (when they try to access stuff they shouldn’t)
>  
> As far as htaccess that is not my expertise (I am a IIS guy) so maybe someone else can comment on it
>  
> Tom
>  
> From: geeklog-devel [mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Wim Niemans
> Sent: May-16-14 7:09 PM
> To: Geeklog Development
> Subject: [geeklog-devel] security issue editor(s)
>  
>  
> See http://project.geeklog.net/tracking/view.php?id=1763 
>  
> Summary:                    editor files are wide open for abuse
> Description: 
> If an anonymous attacker 'knows' the exact url, all files of FCKeditor are wide
> open for abuse.
> Some html display errors, like no valid xml response from server, and all php
> execute.
> Maybe this is also true for the CKeditor.
> 
> Additional Information: 
> Can this be solved by a htaccess entry?
> ---------------------------------------------------------------------- 
> This needs special attention because attacks are detected on the file manager
> connector already. 
>  
> Wim
>  
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net
> http://eight.pairlist.net/mailman/listinfo/geeklog-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20140517/1d64a48e/attachment.html>

More information about the geeklog-devel mailing list