[geeklog-devel] security issue editor(s)

Tom websitemaster at cogeco.net
Sat May 17 12:44:51 EDT 2014 

>> Well, if GoogleBot tries to login, it should be blocked immediately,
don't you agree?

 

Actually I was referring to Googlebot for some reason trying to access my
admin page for the Gus plugin. To fix this I should really block Googlebot
from the directory using robots.txt. What I was trying to say is I don't
really want an automated process to accidently block Googlebot from access
to my entire site.

 

 

 

From: geeklog-devel [mailto:geeklog-devel-bounces at lists.geeklog.net] On
Behalf Of Wim Niemans
Sent: May-17-14 11:29 AM
To: Geeklog Development
Subject: Re: [geeklog-devel] security issue editor(s)

 

The downside of using popular open source code for different features is you
will get bots looking for security holes.  I get tons of bots hitting my
site looking for specific wordpress and joomla files.

 

Quite interesting. I'm running GL now for more than 10 years, and my new
site gains about 1Gb/month access without a clear clue why.

I'm blocking any IP that tries to login more than 1 time in a second. My
Apache log is now containing nearly exclusive the access denied apache
message.

And this makes me wonder. I run several sites, and this one is the only one
with heavy hacker access. Since 10 years. It's also the only one running GL
2.

I have 2 thoughts on this:

[1]: there must be something resident in GL that attracts hackers and
thelike. Maybe it is just the published access log?

[2]: this type of access would be useful to earn some money, f.i. with Ad
words on these specific spots and registration pages. 

 

 One feature request to maybe make things more secure is that we could allow
only so many requests by an ip to a feature they don't have access to before
it is blocked for a period of time. The problem with this is we could also
end up blocking Googlebot etc.. by accident (when they try to access stuff
they shouldn't)

 

Well, if GoogleBot tries to login, it should be blocked immediately, don't
you agree?

And..all these accesses to non-authorised places could be equipped with
targeted ad's. Isn't that a great way to exploit hacking?

 

I see a lot of login/registration spoofing with disposable email addresses
(lives 30 mins).

And I think the easy way to avoid these spammer logins/registrations would
be setting a cookie with a one time token. That cookie exists as long as the
new user needs to come again after receiving the confirmation email. Which
means that next access is only granted when the site is visited again with
the very same browser instance.

 

Wim

 

On 17 May 2014, at 16:52, Tom <websitemaster at cogeco.net> wrote:





I believe it was Dengen who integrated the CKEditor so hopefully he will
provide a more in-depth answer.

 

I have never really taken a good look at the editor code but pre Geeklog
2.0.0 the FCKEditor files were always accessible by anyone who knew the
exact url (just like now).

 

I assume that the authors of the editor software have taken this into
account and provided the necessary security measures.

 

For the file manager / editor php files that tie in with Geeklog, they
either do not allow direct access or have Geeklog's security in place to
make sure the user has access to the feature. This is the same type of
security used to access our admin interface etc.

 

The downside of using popular open source code for different features is you
will get bots looking for security holes.  I get tons of bots hitting my
site looking for specific wordpress and joomla files.

 

One feature request to maybe make things more secure is that we could allow
only so many requests by an ip to a feature they don't have access to before
it is blocked for a period of time. The problem with this is we could also
end up blocking Googlebot etc.. by accident (when they try to access stuff
they shouldn't)

 

As far as htaccess that is not my expertise (I am a IIS guy) so maybe
someone else can comment on it

 

Tom

 

From: geeklog-devel [mailto:geeklog-devel-bounces at lists.geeklog.net] On
Behalf Of Wim Niemans
Sent: May-16-14 7:09 PM
To: Geeklog Development
Subject: [geeklog-devel] security issue editor(s)

 

 

See  <http://project.geeklog.net/tracking/view.php?id=1763>
http://project.geeklog.net/tracking/view.php?id=1763 

 

Summary:                    editor files are wide open for abuse
Description: 
If an anonymous attacker 'knows' the exact url, all files of FCKeditor are
wide
open for abuse.
Some html display errors, like no valid xml response from server, and all
php
execute.
Maybe this is also true for the CKeditor.

Additional Information: 
Can this be solved by a htaccess entry?
---------------------------------------------------------------------- 
This needs special attention because attacks are detected on the file
manager
connector already. 

 

Wim

 

_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://eight.pairlist.net/mailman/listinfo/geeklog-devel

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20140517/ac2ef95d/attachment.html>

More information about the geeklog-devel mailing list