Exploits forum

Permalink
Hi,

I support a handful of sites that use Concrete5 and two sites have had vulnerabilities exploited in the past 8 months. This last time, the vulnerability was in the VideoJS add-on.

Concrete5 is gaining popularity. This is great, but along with the benefits come the drawbacks such as becoming a bigger target for malware. I would love to see a forum within the C5 site that is dedicated to the reporting and resolving of vulnerabilities and exploits... not only C5 itself, but also any add-on. This forum could make it much easier for site admins to sort out, resolve, and maybe even prevent attacks.

Openness and cooperation in dealing with this sort of topic would make C5 an even more attractive option, as any php CMS is prone to malware attacks, and a highly supportive community response seems to be the best way to collectively protect ourselves.

I'm curious to hear other's thoughts on my suggestion.

View Replies:
frz replied on at Permalink Reply
frz
Generally when exploits are discovered (rarely, and even more rarely
important ones) they are reported directly to us using the contact form.
This keeps the information private between us and the person who discovered
until a resolution can be put in place. Add-ons/themes all have their own
support forums that only people who have purchased the add-on/theme can
access.

I'm for openness and cooperation, but I would want to understand how a
publically available vulnerabilities forum would be setup in a way to not
get abused by low creativity black hat hanger ons...



best wishes

Franz Maruna
CEO - concrete5.org
http://about.me/frz
jalen replied on at Permalink Reply
I can appreciate that a public forum could unintentionally support greater exploitation of whatever vulnerabilities arise, and the problem still remains that when (not if) they do arise, trying to find helpful and relevant info on resolving the issue is not clearly apparent.

Even the simple matter of having an article in one of the forums which provides the desirable protocol would be helpful (including the appropriate channels for communicating to the right parties, and identifying whether the problem is within C5 proper or in an add-on). Then with the right tags on that article, someone who comes to the C5 site and is looking for help with this sort of problem can know the most efficient steps to follow.

I've been in communication with the top level of tech support of one of the ISP's I use, and they're assessment of the C5 team is that there is resistance to consider that C5 might have a vulnerability. Whether this is actually true isn't the point. I think it's important to appreciate that this is the kind of impression that one can be left with. I think impressions like this can be avoided by creating _some_ sort of formalized and highly visible channel of communication specifically for this very important topic. It could be a very valuable high-profile way to differentiate C5 from other CMS's.


Secondly, I'm curious about a related issue. I posted a exploit-related bug report back in September of last year that is still unresolved as far as I know.
http://www.concrete5.org/developers/bugs/5-6-2-1/c5.6.2.1-exploits-...
ThomasJ replied on at Permalink Reply
ThomasJ
I agree with Franz that their system of Bug reporting that does not broadcast vulnerabilities to the public is the best way to handle bugs. I also agree with you that if in their course of processing these bug claims they do not own up to their code generated problems or are just not diligent in addressing issues, they put their reputation on the line. I personally have not seen a lax in the c5 team's handling of bug issues but if you have had a bad experience, You should call them on it.
tamarosher replied on at Permalink Reply
tamarosher
Dear Franz: I sent you a previous message about malware that got on one of my websites.

This evening, the malware was removed by the technical staff at the web host company, finally, thankfully.

Thanks for your help. I "love" Concrete5! I greatly appreciate all that you do for others at Concrete5.

HAVE A WONDERFUL DAY!

Tamar Osher
[email protected]
frz replied on at Permalink Reply
frz
Glad to hear it worked out!


best wishes

Franz Maruna
CEO - PortlandLabs Inc
tamarosher replied on at Permalink Reply 8 Attachments
tamarosher
Dear Franz: Hello! I hope you are doing well and enjoying a safe, warm, wonderful winter.

This is the second time recently that my web hosting company has told me that one of my Concrete5 websites has malware. They say I must pay them to remove the malware, or remove it myself (?????), or else keep the website shut down.

I have attached screen-prints of what the technical support staff (at the webs host company) are telling me.

I greatly value your advice and opinion.

My ideas - ??
Should I delete that troublesome website, with the malware, and build it again?

This is the first time in over 2 years that I have ever had a problem with this web host. But I don't like the way they refuse to remove the malicious files for free. Are they being unreasonable?

I look forward to hearing from you. Please contact me when I can be a friend to you! Have a wonderful day!
adajad replied on at Permalink Reply
adajad
Looking through your screenshots I can say that you should fix this yourself.

You should first of all log in to your control panel and change your password on your account.

Once that is done you should remove the two files mentioned (located in your root directory):
- stat7cx.php
- tmp.php

What has happened is that someone has figured out your password and uploaded files to your account.

Do the above and then contact your host again explaining you have removed the files and changed your password. You can also see if you can trace the ip address they saw in the ftp logs. If it is your own then you need to clean up your own computer(s) from malicious softwares.