We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

[Advice Needed] - How to Secure Oxwall - htaccess/sql ? | Forum

Topic location: Forum home » Support » General Questions
Open
Open Jun 7 '11
Hi folks, after finding this great platform Oxwall I have been very much impressed and even more so all the time I use it.

Recently our website(s) have had many hack attempts and many successful when we have been using other products like wordpress, joomla and the likes and I'm very much hoping that with the help of you folks that you can help me fully secure my website.

Now I know there are a few ways todo it via .htaccess ? Chmods ( not seen much mentioned) and maybe other methods to stop any form of Hack, SQL Injection, as this seems to be the way the hackers of late have defaced our websites, I am really hoping that you folks can offer some tips, advice on Protection and for me to have a happy future with Oxwall.

Looking forward to your replies and help.
OSR
Den Team
Den Jun 8 '11
Hi
If you look at the code, you will see that all mysql queries are escaped before they run into mysql. Oxwall is fully protected from mysql injection, if plugin's developer used oxwall's native methods to run sql queries :) What do you mean about .htaccess security? Would you give some more details?
Open
Open Jun 8 '11
Hi Addenster, sounds great about the SQL injection protection, as that was my biggest fear, in regards to .htaccess, its just something i was reading whilst researching a bit to secure our previous sites, I came across this piece of code for .htaccess ( pasted below) and to be honest I'm not fully sure what it does or even it it is of any use for us ?.

Also are there any specific files in Oxwall which I have tomake sure are correctly CHMOD'd so to speak ?

Please assist if possible :) thank you for all your help.

**

RewriteEngine On
Options +Followsymlinks


# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a
Den Team
Den Jun 9 '11
All files in oxwall, has secured permissions by default. The main issue of hacking the most sites - the ability to upload PHP files to the site. Oxwall doesn't allow to upload such files.
Regrading .htaccess, you can try to put this code in your .htaccess
Cecil
Cecil Jun 10 '11
Thx for the help :)
Open
Open Sep 23 '11
Hi again Addenster and others. Not good news I'm afraid ad I'll cut to the chase.

Had forums enabled on our oxwall install and the other night it was hacked.

I noticed a new user join, go to there profile and then they had admin rights as they changed all of my front (titles for Feed etc) and edited the html block i also had on the front. There was a similar txt on the site what had changed with a blatent sql entry style such as "Where=>>>>>>" and so on, I havent got it to show you as it was all a bit of rush as what they posted I changed whilst they done it. After this I disabled the forums and has been ok for a day until I got chance to make this post (far too much working for me of late :( hehe.

We have had a past history of a few people hacking the site (not oxwall) other cms based scripts, wordpress etc and all have seem to break through. This is why I originally posted this post in regards to if we would be likely to have issues which all was well until the other night.

Not much more I can say at this point and nothing to show you short term but hoping that somebody may have some assistance ? is this forum related how they got admin rights ? all a bit vague at the moment.

Regards and off for my 12 hour engineer work shift :) 

Den Team
Den Sep 26 '11
Hello Open. 
Not a good news for today. We didn't receive any alerts about open holes in forum plugin. And you are the first person who has been hacked in this way :( Do you have any sysadmin who can check error logs and try to find out hacking URL in forum plugin or any other details?
Zie
Zie Sep 26 '11
Den Team
Den Sep 27 '11
We will check Forum plugin's code and fix all founded holes. 
Open, if you provide any additional info, it will be very helpful. 
Thank for report guys. 
Open
Open Oct 1 '11
Hi Addenster, I've been away for a few days sry the late reply.

I am about to transfer server as we have had issue on that server for a long time now, once everything is uploaded and the database intact I'll have a sift through and see what I can find to help you in any regards, that's if it was via Oxwall, (hence our server change).

The only other thing I can add is that even the site menu options, such as (Images/Videos/Topics), even those had been changed to something of a malice nature. So I'm guessing they had definitely got in some form of sql ? what you think.

Anyway.... re-install and uploaded to new server in the next day or so and I'll get back to you asap,  I think I'm gonna leave the blog off and the forum for a short while and see how it performs on its own, as believe me there are plenty of haters to the website in question just a jealousy thing but hey ho, as they say any publicity is good publicity hehe in some fashion, but using Oxwall will be great to know that its 110% and I thank you once again for any help.

Anyway I can offer you more ? checking logs etc, where would I look to give you more info on any breaches ? if any.

Thx again.
Den Team
Den Oct 5 '11
You need to have a good sysadmin to check server logs and find problem queries with attempts of sql injections. 
Regarding menu option, don't sure that it can be the reason of hacking LOL :)
Waiting for any news from you on your new server.
Open
Open Oct 7 '11
Hi again:) well, just installed on new server the hacked version, I have it fully intact, it seems that they had edited the "ow_base_component_setting"

I had to remove this from my SQL, as I still have "their" edited SQL if you want to have a look at it, not public obviously.

So after they had edited the "ow_base_component_setting"
every label and html tagged box what was on site was now replaced with their edited txt, now that makes sense in some ways, as many sections had the same "txt which was originally html" what I had wrote.

.... what next ? can I provide anything as I have it ready and waiting for viewing or admin or looking at my files as if this is a hack then I'm sure it will be a help in the future for Oxwall.

**Edit**
Is this also accessible as a file on the ftp ? or is this only an sql option.
The Forum post is edited by Open Oct 7 '11
Den Team
Den Oct 11 '11
Send me this SQL via PM please. We will check it. 
All such widget's settings are stored in SQL and script doesn't use any files. 
FaceTester Leader
FaceTester Oct 11 '11
a question about sql injection to -Open-

have you HTML scripting enabled for your community ?

Open
Open Oct 11 '11
Hello Gents !

PM's sent with file attached.

Facetester ?  enlighted me, sry.
Open
Open Oct 11 '11
Ah I see it Disable custom HTML - 

AI'm not sure whether it was or not... mmm could this be a possible security breach then for them to gain entry. SQL now sent to Addenster for his looking also.

Thx guys, were close to relaunching again on the new server once I have the latest from you folks and also I have updates to the latest.
FaceTester Leader
FaceTester Oct 11 '11
Hi
yes i mean "custom HTML", i ask to you because i don't know how oxwall work with sql-function in a html-script.
Addenster and the other Developer see what i mean :-)

but please, i don't scaring you...let wait what Addenster see from your infos

greets
FaceT
The Forum post is edited by FaceTester Oct 11 '11
Open
Open Oct 11 '11
No problem :) & Thx, glad you mentioned this as it could of been an option they have used which we would of totally missed. Lets see I'm awaiting Addenster's reply in regards to PM file sent.
Open
Open Oct 12 '11
Hi again :), just letting you know I'm almost ready to launch, hope you get time over the next few days to look for me Addenster at files sent, I'm at work for next 2 days so not much time to dev so will hang for your wise words Sir.

Many thx all !.
DesignOX
DesignOX Sep 10 '12
Where is the real answer to this?
Pages: 1 2 »