View Feed
group-icon
Coffee Room
Discuss anything here - everything that you wish to discuss with fellow engineers.
12921 Members
Join this group to post and comment.
Nayan Goenka
Nayan Goenka • Aug 1, 2013

Is CE easy to hack?

I was looking up on where/how we are hosting these forums. After some help/information as well as some research i know that we use Xenforo Environment over Zend framework hosted on Liquidweb (a cloud hosting service). I tested it particularly and this server is responding positively to CSS attacks. Nothing to blame the hosts for this but the framework.
The CEan of the Month app is vulnerable. It can be tampered i found out but not easily. I won't abuse it for sure. But i guess if others have any experiences then they could share. Also targetted DDoSing can be done on CE. So without harming the main server we can actually take the website down. However its tough to do so.

My question is, who all have had similar experience related to websites' security. I can rate it 3.9/5.0 comfortably.
Kaustubh Katdare
Kaustubh Katdare • Aug 1, 2013
If you found any vulnerabilities, better report them so that we can fix them. Any website can be hacked, CE's no different.
Nayan Goenka
Nayan Goenka • Aug 1, 2013
They aren't vulnerabilities Kaustubh Katdare. They are CSS attacks. They attack on the way your website works. Like the way a reply is posted here on this thread. I do some script and I can intrude in the server. Not only this but the other website which is your sibling on the hosting server. So its not a matter of report. You cannot manually fix it. On other hand, we can deploy a solution.

Like we know a cat enters from the door. So we cant always keep the door shut but we sure can do something to avoid the cat. This is the best analogy I can provide.

The solution is to configure the virtual terminal where the website is hosted to non-respond the scripts and make the drive persistent. And server backup to be collected on some other place. It is a costly process. But I guess that is the solution. Or I would suggest this. I dont know about your network security deployments which your developer has planted. But yes, CE is vulnerable to CSS attacks. The new app section can be targetted easily using a third party CSS environment.
Kaustubh Katdare
Kaustubh Katdare • Aug 1, 2013
Well, I do know a thing or two about CSS attacks. Will you be able to prove the CSS vulnerability if we provide you with a test environment?
Nayan Goenka
Nayan Goenka • Aug 1, 2013
You already gave me the environment in past. So i tested it there.
And there is nothing to prove in it. Its something we cannot stop. Rather we can secure the server. its already decently secured. the thing i m talking about it is hardcore server security. Make the drive persistent. Every Server restart will make it raid free. And power backup the server in hard environment everytime. I guess you might be aware of DEEPFREEZE application for machines. Persistant drives are for the same purpose. and there is a feature in remote hosting environment which is net bridged, mainly used by website hosting companies, to block remove execution/ i.e to avoid scripting. That will patch this issue. If you want I can show it on your environment. But i already tested it there. I can give you a video of the attack if you want.
Kaustubh Katdare
Kaustubh Katdare • Aug 1, 2013
You said the core platform is vulnerable to CSS attacks - so I wanted to know if there's anything that needs attention.

I tested it particularly and this server is responding positively to CSS attacks. Nothing to blame the hosts for this but the framework.
I'm not sure what 'responding positively' meant. Did it mean that the server rejected CSS attacks? Or you found out that the server indeed is vulnerable to attacks?

What you're suggesting is a general way of hardening the server. We do have solid backup mechanisms in place.
Nayan Goenka
Nayan Goenka • Aug 1, 2013
Kaustubh Katdare. I sent you a message explaining the attack. please check. responding positive means it is vulnerable on secondary level. Not a matter of urgent concern.
Kaustubh Katdare
Kaustubh Katdare • Aug 1, 2013
Well, I did check your private conversation. Voting on CEoM App can be 'managed', because we simply check for logged-in users and usergroup permissions before a user can vote.

You can of course alter that using a bot to upgrade the vote count. However, we didn't pay a lot of attention to it because anyone found messing up with the CEoM will be quickly disqualified from the contest. Now, this might be used to 'attack' your rival - but the mods do keep eye on the activity.

I want to know there's any 'attack' that can take the server down. Would really appreciate it if you could report any.
Nayan Goenka
Nayan Goenka • Aug 1, 2013
Sure I will let you know about the 'attack'. I will re write it and forward it to you.
Kaustubh Katdare
Kaustubh Katdare • Aug 1, 2013
Nayan Goenka
Sure I will let you know about the 'attack'. I will re write it and forward it to you.
Appreciate it, thanks.
Pensu
Pensu • Aug 1, 2013
Nayan Goenka
Sure I will let you know about the 'attack'. I will re write it and forward it to you.
Dont mind me asking, but did you hack CEoM or you really are on top? 😉
Nayan Goenka
Nayan Goenka • Aug 1, 2013
Check the contents 😛 I already said i wont abuse it. I dont need to 😛😎
Jeffrey Arulraj
Jeffrey Arulraj • Aug 1, 2013
Nayan Goenka A really nice read

Well CSS type attacks are common and in a way not forseeable to most hosts right Well If that is the case does a human intervention always needed to stop this Or can the server automatically sense this new intrusion

Share this content on your social channels -