Possible Security Problem
2 posts by 2 authors in: Forums > CMS Builder
Last Post: August 1, 2016 (RSS)
By mark99 - July 29, 2016 - edited: July 29, 2016
A few days ago CMS Builder's (currently on v3.05) excellent error logging picked up some unusual issues, which thanks to the detailed log looked to me like attack traffic.
It started with a bunch of errors like this on the main /system/admin.php file (line 2406):
E_USER_NOTICE: Security Error: No _CSRFToken exists in session. Try reloading previous page.
On $_GET = we see:
Array
(
)
On $_POST = we see:
Array
(
[send] => 1
[action] => submit
[menu] => forgotPassword
[usernameOrEmail] => jmoqgcvj
[_CSRFToken] => 8fe832391ea5645db3025a08dd5ff2b10d14fa73
)
On $_REQUEST = we see:
Array
(
[send] => 1
[action] => submit
[menu] => forgotPassword
[usernameOrEmail] => jmoqgcvj
[_CSRFToken] => 8fe832391ea5645db3025a08dd5ff2b10d14fa73
)
After apparently failing to get in that way the attacker then tried to attack our public facing html output for CMS Builder and we saw a lot of these errors on related pages:
E_NOTICE: Undefined offset: 0
/***/cms/system/lib/viewer_functions.php (line 1033)
http://www.******.com/isp_list/Output_List.php
This looked like a sort of SQL injection attack, with the attacker trying to read the data and then post their own content into the system. The error and a quick manual check of the database suggests they weren't able to push the data in, but they might have been able to read the database tables.
Most of the attempts didn't give enough feedback in the error log for me to know precisely what approach they were taking, but some appeared to try an append a call onto the end of out public output file (e.g. /isp_list/Output_List.php). So we saw things like this:
/isp_list/Output_List.php?land_line_broadband_type[$acunetix]=1
/isp_list/Output_List.php?title_keyword&page[$acunetix]=1
/isp_list/Output_List.php?orderBy[$acunetix]=1
The "orderBy" one is sanitised in our code, so should be safe,and title_keyword is only used once on the page in an HTML search form input (name="title_keyword") for searching by product title. Meanwhile land_line_broadband_type isn't even used on that page (it's just a simple text list of different broadband Internet technologies), but we see things like this for that one (example below):
On $_GET = we see:
Array
(
[land_line_broadband_type] => Array
(
[$acunetix] => 1
)
)
On $_POST = we see:
Array
(
)
On $_REQUEST = we see:
Array
(
[land_line_broadband_type] => Array
(
[$acunetix] => 1
)
)
The use of $acunetix in the code is interesting and I wonder if this is just somebody running the http://www.acunetix.com/ vulnerability scanner on the system or if it's something I should be worried about?
By Dave - August 1, 2016
Hi mark99,
The use of $acunetix in the code is interesting and I wonder if this is just somebody running the http://www.acunetix.com/ vulnerability scanner on the system or if it's something I should be worried about?
I think that's probably it. We get thousands of automated hack attempts a day on our own site. Mostly they're looking for known vulnerabilities in common scripts like Wordpress and exploitable code.
I wouldn't worry about it on it's own. The logging is likely just caused by unexcepted input from the user or us wanting to log unknown situations. If you like, though, if it keeps showing up in your logs you could send me some additional examples and I could update the code in CMSB to not log those situations.
Also, if you have custom PHP code you are unsure about and you'd like us to have a quick look at it to make sure it's secure just let me know. Typically you just want to make sure you mysql escape any user inputs (eg: $_REQUEST, $_GET, $_POST, etc).
Hope that helps! Let me know any other questions.
interactivetools.com