Is CE easy to hack?

Nayan
Member • Aug 1, 2013

Is CE easy to hack?

I was looking up on where/how we are hosting these forums. After some help/information as well as some research i know that we use Xenforo Environment over Zend framework hosted on Liquidweb (a cloud hosting service). I tested it particularly and this server is responding positively to CSS attacks. Nothing to blame the hosts for this but the framework.
The CEan of the Month app is vulnerable. It can be tampered i found out but not easily. I won't abuse it for sure. But i guess if others have any experiences then they could share. Also targetted DDoSing can be done on CE. So without harming the main server we can actually take the website down. However its tough to do so.

My question is, who all have had similar experience related to websites' security. I can rate it 3.9/5.0 comfortably.

Replies

Howdy guest!

Dear guest, you must be logged-in to participate on CrazyEngineers. We would love to have you as a member of our community. Consider creating an account or login.

Replies

Kaustubh Katdare

Administrator • Aug 1, 2013

If you found any vulnerabilities, better report them so that we can fix them. Any website can be hacked, CE's no different.

Are you sure? This action cannot be undone.
Cancel
Nayan Goenka

Member • Aug 1, 2013

They aren't vulnerabilities #-Link-Snipped-#. They are CSS attacks. They attack on the way your website works. Like the way a reply is posted here on this thread. I do some script and I can intrude in the server. Not only this but the other website which is your sibling on the hosting server. So its not a matter of report. You cannot manually fix it. On other hand, we can deploy a solution.

Like we know a cat enters from the door. So we cant always keep the door shut but we sure can do something to avoid the cat. This is the best analogy I can provide.

The solution is to configure the virtual terminal where the website is hosted to non-respond the scripts and make the drive persistent. And server backup to be collected on some other place. It is a costly process. But I guess that is the solution. Or I would suggest this. I dont know about your network security deployments which your developer has planted. But yes, CE is vulnerable to CSS attacks. The new app section can be targetted easily using a third party CSS environment.

Are you sure? This action cannot be undone.
Cancel
Kaustubh Katdare

Administrator • Aug 1, 2013

Well, I do know a thing or two about CSS attacks. Will you be able to prove the CSS vulnerability if we provide you with a test environment?

Are you sure? This action cannot be undone.
Cancel
Nayan Goenka

Member • Aug 1, 2013

You already gave me the environment in past. So i tested it there.
And there is nothing to prove in it. Its something we cannot stop. Rather we can secure the server. its already decently secured. the thing i m talking about it is hardcore server security. Make the drive persistent. Every Server restart will make it raid free. And power backup the server in hard environment everytime. I guess you might be aware of DEEPFREEZE application for machines. Persistant drives are for the same purpose. and there is a feature in remote hosting environment which is net bridged, mainly used by website hosting companies, to block remove execution/ i.e to avoid scripting. That will patch this issue. If you want I can show it on your environment. But i already tested it there. I can give you a video of the attack if you want.

Are you sure? This action cannot be undone.
Cancel
Kaustubh Katdare

Administrator • Aug 1, 2013

You said the core platform is vulnerable to CSS attacks - so I wanted to know if there's anything that needs attention.

I tested it particularly and this server is responding positively to CSS attacks. Nothing to blame the hosts for this but the framework.
I'm not sure what 'responding positively' meant. Did it mean that the server rejected CSS attacks? Or you found out that the server indeed is vulnerable to attacks?

What you're suggesting is a general way of hardening the server. We do have solid backup mechanisms in place.

Are you sure? This action cannot be undone.
Cancel
Nayan Goenka

Member • Aug 1, 2013

#-Link-Snipped-#. I sent you a message explaining the attack. please check. responding positive means it is vulnerable on secondary level. Not a matter of urgent concern.

Are you sure? This action cannot be undone.
Cancel
Kaustubh Katdare

Administrator • Aug 1, 2013

Well, I did check your private conversation. Voting on CEoM App can be 'managed', because we simply check for logged-in users and usergroup permissions before a user can vote.

You can of course alter that using a bot to upgrade the vote count. However, we didn't pay a lot of attention to it because anyone found messing up with the CEoM will be quickly disqualified from the contest. Now, this might be used to 'attack' your rival - but the mods do keep eye on the activity.

I want to know there's any 'attack' that can take the server down. Would really appreciate it if you could report any.

Are you sure? This action cannot be undone.
Cancel
Nayan Goenka

Member • Aug 1, 2013

Sure I will let you know about the 'attack'. I will re write it and forward it to you.

Are you sure? This action cannot be undone.
Cancel
Kaustubh Katdare

Administrator • Aug 1, 2013

Nayan Goenka
Sure I will let you know about the 'attack'. I will re write it and forward it to you.
Appreciate it, thanks.

Are you sure? This action cannot be undone.
Cancel
Pensu

Member • Aug 1, 2013

Nayan Goenka
Sure I will let you know about the 'attack'. I will re write it and forward it to you.
Dont mind me asking, but did you hack CEoM or you really are on top? 😉

Are you sure? This action cannot be undone.
Cancel
Nayan Goenka

Member • Aug 1, 2013

Check the contents 😛 I already said i wont abuse it. I dont need to 😛😎

Are you sure? This action cannot be undone.
Cancel
Jeffrey Arulraj

Member • Aug 1, 2013

#-Link-Snipped-# A really nice read

Well CSS type attacks are common and in a way not forseeable to most hosts right Well If that is the case does a human intervention always needed to stop this Or can the server automatically sense this new intrusion

Are you sure? This action cannot be undone.
Cancel