I support a handful of sites that use Concrete5 and two sites have had vulnerabilities exploited in the past 8 months. This last time, the vulnerability was in the VideoJS add-on.
Concrete5 is gaining popularity. This is great, but along with the benefits come the drawbacks such as becoming a bigger target for malware. I would love to see a forum within the C5 site that is dedicated to the reporting and resolving of vulnerabilities and exploits... not only C5 itself, but also any add-on. This forum could make it much easier for site admins to sort out, resolve, and maybe even prevent attacks.
Openness and cooperation in dealing with this sort of topic would make C5 an even more attractive option, as any php CMS is prone to malware attacks, and a highly supportive community response seems to be the best way to collectively protect ourselves.
I'm curious to hear other's thoughts on my suggestion.
important ones) they are reported directly to us using the contact form.
This keeps the information private between us and the person who discovered
until a resolution can be put in place. Add-ons/themes all have their own
support forums that only people who have purchased the add-on/theme can
I'm for openness and cooperation, but I would want to understand how a
publically available vulnerabilities forum would be setup in a way to not
get abused by low creativity black hat hanger ons...
CEO - concrete5.org
Even the simple matter of having an article in one of the forums which provides the desirable protocol would be helpful (including the appropriate channels for communicating to the right parties, and identifying whether the problem is within C5 proper or in an add-on). Then with the right tags on that article, someone who comes to the C5 site and is looking for help with this sort of problem can know the most efficient steps to follow.
I've been in communication with the top level of tech support of one of the ISP's I use, and they're assessment of the C5 team is that there is resistance to consider that C5 might have a vulnerability. Whether this is actually true isn't the point. I think it's important to appreciate that this is the kind of impression that one can be left with. I think impressions like this can be avoided by creating _some_ sort of formalized and highly visible channel of communication specifically for this very important topic. It could be a very valuable high-profile way to differentiate C5 from other CMS's.
Secondly, I'm curious about a related issue. I posted a exploit-related bug report back in September of last year that is still unresolved as far as I know.
This evening, the malware was removed by the technical staff at the web host company, finally, thankfully.
Thanks for your help. I "love" Concrete5! I greatly appreciate all that you do for others at Concrete5.
HAVE A WONDERFUL DAY!
CEO - PortlandLabs Inc
This is the second time recently that my web hosting company has told me that one of my Concrete5 websites has malware. They say I must pay them to remove the malware, or remove it myself (?????), or else keep the website shut down.
I have attached screen-prints of what the technical support staff (at the webs host company) are telling me.
I greatly value your advice and opinion.
My ideas - ??
Should I delete that troublesome website, with the malware, and build it again?
This is the first time in over 2 years that I have ever had a problem with this web host. But I don't like the way they refuse to remove the malicious files for free. Are they being unreasonable?
I look forward to hearing from you. Please contact me when I can be a friend to you! Have a wonderful day!
You should first of all log in to your control panel and change your password on your account.
Once that is done you should remove the two files mentioned (located in your root directory):
What has happened is that someone has figured out your password and uploaded files to your account.
Do the above and then contact your host again explaining you have removed the files and changed your password. You can also see if you can trace the ip address they saw in the ftp logs. If it is your own then you need to clean up your own computer(s) from malicious softwares.