Is CE easy to hack?
I was looking up on where/how we are hosting these forums. After some help/information as well as some research i know that we use Xenforo Environment over Zend framework hosted on Liquidweb (a cloud hosting service). I tested it particularly and this server is responding positively to CSS attacks. Nothing to blame the hosts for this but the framework.
The CEan of the Month app is vulnerable. It can be tampered i found out but not easily. I won't abuse it for sure. But i guess if others have any experiences then they could share. Also targetted DDoSing can be done on CE. So without harming the main server we can actually take the website down. However its tough to do so.
My question is, who all have had similar experience related to websites' security. I can rate it 3.9/5.0 comfortably.
The CEan of the Month app is vulnerable. It can be tampered i found out but not easily. I won't abuse it for sure. But i guess if others have any experiences then they could share. Also targetted DDoSing can be done on CE. So without harming the main server we can actually take the website down. However its tough to do so.
My question is, who all have had similar experience related to websites' security. I can rate it 3.9/5.0 comfortably.
Replies
-
Kaustubh KatdareIf you found any vulnerabilities, better report them so that we can fix them. Any website can be hacked, CE's no different. -
Nayan GoenkaThey aren't vulnerabilities #-Link-Snipped-#. They are CSS attacks. They attack on the way your website works. Like the way a reply is posted here on this thread. I do some script and I can intrude in the server. Not only this but the other website which is your sibling on the hosting server. So its not a matter of report. You cannot manually fix it. On other hand, we can deploy a solution.
Like we know a cat enters from the door. So we cant always keep the door shut but we sure can do something to avoid the cat. This is the best analogy I can provide.
The solution is to configure the virtual terminal where the website is hosted to non-respond the scripts and make the drive persistent. And server backup to be collected on some other place. It is a costly process. But I guess that is the solution. Or I would suggest this. I dont know about your network security deployments which your developer has planted. But yes, CE is vulnerable to CSS attacks. The new app section can be targetted easily using a third party CSS environment. -
Kaustubh KatdareWell, I do know a thing or two about CSS attacks. Will you be able to prove the CSS vulnerability if we provide you with a test environment?
-
Nayan GoenkaYou already gave me the environment in past. So i tested it there.
And there is nothing to prove in it. Its something we cannot stop. Rather we can secure the server. its already decently secured. the thing i m talking about it is hardcore server security. Make the drive persistent. Every Server restart will make it raid free. And power backup the server in hard environment everytime. I guess you might be aware of DEEPFREEZE application for machines. Persistant drives are for the same purpose. and there is a feature in remote hosting environment which is net bridged, mainly used by website hosting companies, to block remove execution/ i.e to avoid scripting. That will patch this issue. If you want I can show it on your environment. But i already tested it there. I can give you a video of the attack if you want. -
Kaustubh KatdareYou said the core platform is vulnerable to CSS attacks - so I wanted to know if there's anything that needs attention.
I tested it particularly and this server is responding positively to CSS attacks. Nothing to blame the hosts for this but the framework.
I'm not sure what 'responding positively' meant. Did it mean that the server rejected CSS attacks? Or you found out that the server indeed is vulnerable to attacks?
What you're suggesting is a general way of hardening the server. We do have solid backup mechanisms in place. -
Nayan Goenka#-Link-Snipped-#. I sent you a message explaining the attack. please check. responding positive means it is vulnerable on secondary level. Not a matter of urgent concern.
-
Kaustubh KatdareWell, I did check your private conversation. Voting on CEoM App can be 'managed', because we simply check for logged-in users and usergroup permissions before a user can vote.
You can of course alter that using a bot to upgrade the vote count. However, we didn't pay a lot of attention to it because anyone found messing up with the CEoM will be quickly disqualified from the contest. Now, this might be used to 'attack' your rival - but the mods do keep eye on the activity.
I want to know there's any 'attack' that can take the server down. Would really appreciate it if you could report any. -
Nayan GoenkaSure I will let you know about the 'attack'. I will re write it and forward it to you.
-
Kaustubh Katdare
Appreciate it, thanks.Nayan GoenkaSure I will let you know about the 'attack'. I will re write it and forward it to you. -
Pensu
Dont mind me asking, but did you hack CEoM or you really are on top? ๐Nayan GoenkaSure I will let you know about the 'attack'. I will re write it and forward it to you. -
Nayan GoenkaCheck the contents ๐ I already said i wont abuse it. I dont need to ๐๐
-
Jeffrey Arulraj#-Link-Snipped-# A really nice read
Well CSS type attacks are common and in a way not forseeable to most hosts right Well If that is the case does a human intervention always needed to stop this Or can the server automatically sense this new intrusion
You are reading an archived discussion.
Related Posts
I was just browsing through some catalogs of fans yesterday, and i discovered one thing: while table fans and pedestal fans have their speed in the range of 1000-2000 RPM,...
Could anyone explain me briefly about the differences between neutral and ground in an electrical system?
Have you ever asked yourself this question: If hackers can get in, how would I know? There are many answers to this question and it also depends on the operating...
Well this is like cake walk to few not to me this question bugs me a lot
Both are Universal gate that can really be helpful in easy realisation other...
Well recently we had been discussing in private conversation it is better to be let out now and that too the very first day of CEom August will be the...