Security Vulnerability
Permalink
So what's the deal, why is my login constantly being changed to redirect to a website in china? Is there an unpatched security vulnerability allowing XSS or javscript hijacking?
This is the second time it has happened using two different servers and installations. Redirects the login screen to:http://example.com/index.php/login...
This is the second time it has happened using two different servers and installations. Redirects the login screen to:http://example.com/index.php/login...
I'm done with this lame CMS. Why don't you @ssholes learn to write secure code. This has been unpatched for 7 months.
As far as I know, there's no vulnerability in concrete5 that does this, but it's the type of thing that's really hard to know with the limited information you've provided.
From google searches, it looks like there is a ton of info out there about 360.cn being a malware site and people's browsers getting hijacked to it's site, along with how to remove various viruses that people have caught from it. I honestly feel a little worried to have clicked on your link in this forum thread. 0_0
So my question would be if it's actually something that's wrong with your server, or with your local machine? What is the URL for your login page supposed to be? Can other people access it? If you're running in a local environment like WAMP, does it do the same thing?
That's where I'd start looking.
FWIW, I've actually dealt with multiple sites that were hacked over the years, and in no cases was it concrete5 that caused it. It's always something like an unknown piece of code in an HTML theme that wa converted to c5, caught by a crawler that uses it to upload malicious code, or running on a shared server where someone's wordpress install has an out of date plugin that gives them escalated permissions, stuff like that.
Also, there's an actual bug tracker that gets better visibility for things like this, if there actually is a security problem. It's easy for a random forum post without much info to get lost, especially if there's a lot of other posts that day.
http://www.concrete5.org/developers/bugs/8-1-0/...
My gut feeling tells me that this actually has nothing to do with concrete5, though.
From google searches, it looks like there is a ton of info out there about 360.cn being a malware site and people's browsers getting hijacked to it's site, along with how to remove various viruses that people have caught from it. I honestly feel a little worried to have clicked on your link in this forum thread. 0_0
So my question would be if it's actually something that's wrong with your server, or with your local machine? What is the URL for your login page supposed to be? Can other people access it? If you're running in a local environment like WAMP, does it do the same thing?
That's where I'd start looking.
FWIW, I've actually dealt with multiple sites that were hacked over the years, and in no cases was it concrete5 that caused it. It's always something like an unknown piece of code in an HTML theme that wa converted to c5, caught by a crawler that uses it to upload malicious code, or running on a shared server where someone's wordpress install has an out of date plugin that gives them escalated permissions, stuff like that.
Also, there's an actual bug tracker that gets better visibility for things like this, if there actually is a security problem. It's easy for a random forum post without much info to get lost, especially if there's a lot of other posts that day.
http://www.concrete5.org/developers/bugs/8-1-0/...
My gut feeling tells me that this actually has nothing to do with concrete5, though.
We're always eager to fix security vulnerabilities, do you mind reporting this potential vulnerability through one of the official channels? It can be pretty dangerous to release information like this publicly before we have a chance to fix the issue so we have a security email and a HackerOne account that is monitored by both the core team and members of the community. If you check the footer you'll see a link to our Security Disclosure program:https://www.concrete5.org/developers/security...
Thanks,
Korvin
Thanks,
Korvin
Uh, release *what* information like this? I've re-read his post several times and have found no information value whatsoever.
Or was his post modified before I saw it?
Or was his post modified before I saw it?
We have the security disclosure program so that we can handle potential security issues before the bad guys get a chance to use the exploit and hurt the concrete5 community. We monitor it and vet all security issues that come through there and handle them quickly depending on severity. You're right that this isn't a security vulnerability as far as I can tell, but it's hard to know with the amount of information that was given.
The rule of thumb is If it's a potential security risk for other users, submit the issue through the security disclosure program.
The rule of thumb is If it's a potential security risk for other users, submit the issue through the security disclosure program.
@HereNT and @Korvin I admire and respect your restraint and professionalism.
@HereNT I share your analysis and I too had to deal with several "hacked" sites that were, in fact, hijacked browsers on the user's side.
@HereNT I share your analysis and I too had to deal with several "hacked" sites that were, in fact, hijacked browsers on the user's side.
