Blog Documentation Book a Demo
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

sNews Hax0rs, Vanilla & Security (XSS/Exploits protection)

TomTesterTomTester New
edited February 2007 in Vanilla 1.0 Help
Peeps,

Just read a whole discussion on the sNews site regarding recent hacks of that CMS
( if you're not familiar with sNews, the one-file CMS that is easy to customize look
at http://www.solucija.com )

The bottom line is that a 'popular' skript-kiddie hacker site (link below) posted an
exploit on-line that was immediately used to hack several popular sNews-based sites.

I'm not a security expert, but for those of you who are, perhaps these pages are of
use to make sure that Vanilla isn't susceptible to similar hacks.

Exploit site: http://retrogod.altervista.org/
(wanted to avoid showing up in this guy's referral logs to ensure we do not wake
any sleeping dogs, so copy/paste the URL above and remove the {removeme} plz.
// Edit by Mark - removed the "removeme"s and formatted the text as html so it doesn't autolink.)

Related: a very interesting discussion on securing on XSS exploits and prospective
protection can be found here: http://www.jungsonnstudios.com/blog/

Hope this is of use to someone here... Mark perhaps?

T.

PS the latest *secure* version of sNews can be found here: http://www.ni5ni6.com/

Comments

  • StashStash
    Related to this, would it not discourage at least a few hackers from hacking you if they couldn't see what version of the software you were using at a simple glance? I mean sure, some hacks work for ALL existing versions, but once it gets patched, a hacker might have to think twice if they can't see what version you are running. Or does it not work this way at all?

    It would be easy enough to move the version number of the software to an admin only page, perhaps in the extensions?
  • TomTesterTomTester New
    Security by obfuscation usually makes little sense, but... as the sites I included showed they use Google to find prospective targets... (aka the DORK code). Hence, removing or changing the default Vanilla tagline/version indicator may actually make some sense (e.g. replace by image)
  • StashStash
    I'm not suggesting that it will make Vanilla hack proof, simply that it makes it a little harder, a little more effort to attack a site if you don't know in a split second that you're running version X of software Y. Think of it like shredding your sensitive documents at home. It's not going to stop someone who really wants to steal your identity, but it makes it enough of a fag that they might just go and pick on someone else who isn't trying at all. Part of the solution, not the whole thing :)
  • NickENickE New
    http://ha.ckers.org/ is another great site for XSS. I recently posted on their forum requesting some feedback on the html formatter and found rsnake (the webmaster) and the other forum members (ironically including jungsonn) to be extremely helpful.
  • DinoboffDinoboff
    There is also a blog entry about it ;-) http://ha.ckers.org/blog/20070124/stopping-xss-but-allowing-html-is-hard/ Visit also: http://jeremiahgrossman.blogspot.com/ http://www.gnucitizen.org/ (on this one you might want to look at the articles that allow to add javascript to images, .mov, mp3 etc...).
This discussion has been closed.