Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[BS0D]

Hi all,

I have a question about the security of sNews CMS. How would you rate the overall level of security?
I'd like to use this system for my company's website, but my domain was targeted by hackers before and I would like to hope that sNews would solve my problem and prevent them from getting in.

Have you ever heard of any sNews installation getting hacked?
I had a look online and my research only brought up one bug in an older version that has been patched since then (XSS in version 1.7).

If there is a way to secure the system even more, I'm all ears...

Thanks for any advice!

[Keyrocks]

I've had a few sNews sites online for several years now and - with old vulnerabilities patched - none have been hacked yet.

A couple of months ago I had a 7 year-old domain completely hi-jacked by some hacker in the Middle East. It was running on a larger, more complex open source CMS. The hi-jacker was able to replace my CMS file-set with his and replace the tables and data in my existing database with his... basically running his website from my domain.

The vulnerability was having a file-sharing feature that didn't exclude ZIP files. The hacker understood the folder structure on the domain root and uploaded a ZIP containing his complete site file-set, a database over-write file, a self-writing config.php file and an install.php file. He configured his file-set to remove my file-set, install his file-set and over-write my database with his.

sNews does not have any forms accessible to the public where self-executing files can be uploaded. Period. And as long as you don't add that functionality to sNews, it should not happen.

[BS0D]

Hi Keyrocks,

Thanks for the reply. It does make me feel better to read that.
Taht's one of the reason I am staying away from Joomla or WP, too popular, targeted too often.

[BS0D]

Hi, I'm coming back to this topic to find out about contact forms.
Is there a possible vulnerability in forms coded manually and included in a sNews page with the [include] feature?

I don't mean XSS vulns of course because I secured my forms against those.
This may seem like stupid question, but what about SQL injections? Can those forms be used to access the database? And if so, is there an easy way to secure them further?

There is is this template I found online a few years ago and massively modified to fit my needs, but before I use these online I'd like to know they're not vulnerable... if anyone is willing to take a look I'd be glad to send it!

Thanks for your help in advance!

[Keyrocks]

Is there a possible vulnerability in forms coded manually and included in a sNews page with the [include] feature?

I don't mean XSS vulns of course because I secured my forms against those.
This may seem like stupid question, but what about SQL injections? Can those forms be used to access the database? And if so, is there an easy way to secure them further?

Assuming your manually-coded (customized) forms are not 'native' to sNews (meaning they are from some other external source and not included with the sNews package), then it all depends on what you are doing with the data being collected by your customized forms.

For example, the data being collected by sNews's function comment is subjected to a pretty thorough cleaning before it gets inserted into the comments table in your sNews database, so it's not likely your going to have malicious code getting into the comments d-base table.

If the data collected by your customized (manually-coded) forms is being inserted (saved to) a table in your database, you are wise to ensure the $_POST values for each data type are being adequately checked and cleaned before it is sent to the database table via your INSERT or UPDATE queries.

[BS0D]

No I'm not inserting anything in the DB, but I was still wondering if, because the form is on the server and on a website which is linked to the db, an attacker could still inject SQL commands via these forms.
Now it makes sense that they can't, thanks.

I'm only using these forms to send HTML emails (replacement of the default contact form if you will), and I've thoroughly protected these against XSS.

Thanks again Keyrocks