CKForms Security Issue is Spreading

[kiwi]

Hi,
I have been watching the number of sites that have all been hacked via the SQL injection flaw reported a few days ago.

While CKForms works very well for us we have had to remove it immediately due to the fact that our test sites have been hacked and this component poses a very serious security flaw to our Joomla installs.

More details can be found here :
http://www.exploit-db.com/exploits/11785

I have full logs showing how this flaw is actively being used in the wild, particularly just how Turkish hackers are using this issue, and it can take less than 5 minutes to gain admin access into your site.

I have run this against some other friends Joomla sites and every single time the vunlerability suceeds without fail. Subsequently those friends have also removed CKForms.

Can we get an official response as to whats being done about these flaws? Even just an indication that something is being done.

If we cant see or hear anything we will all be forced to move our solutions elsewhere.

Skip
New Zealand

[pedrino]

Hi,

I fixed the security problem in the new release (1.3.4) you can download in the CKForms Site :

http://ckforms.cookex.eu/

Regards

Pierre

[aniuska]

Hello,

I hope that last version (1.3.4) fix securities vulnerabilities. I have been attacked last week for Turkish group and spamming through CKForm. I would like to continue using this component.

Thanks,
Aniuska

[AlanDogg]

Hi this security flaw still exists, i have been told by my server host that if i do not remove ck forms component he will shut down my sites that use it. This component has a serious security issues and i have already lost my own wesbite due to this badly written script.

Details from server host below

We can see from looking at the access logs that only a few minutes ago a
hacker tried to exploit the ckforms component.

195.228.152.176 - - [11/May/2010:14:36:07 +0100] "GET
/index.php?option=com_ckforms&view=ckforms&id=2&Itemid=53//index2.php?option
=com_forms&controller=../../../../../../../../../../../../../../../proc/self
/environ%00 HTTP/1.1" 200 677 "-" "libwww-perl/5.813"

You MUST remove this component and its possible threat ASAP or the account
will be terminated.

Im already using the new version 1.3.4

[ahmad99]

How to upgrade...?

[doughboy]

hi guys,

any updates about the latest version of ckforms?
has it been tested for vulnerability against sql injection?

[ikkes]

Can anybody confirm that this issue has been solved in the last version?
It is really important to know!!!!!

And is this also an issue, when only registred people can use this (we made a hack for this)?

Regards,

Ikkes

[homeroom1]

My Host just shut down another one of my sites using CK Forms. I've now disabled it on all sites until further notice.

I'm hoping someone can solve this issue.

[cmatechno]

I just started using CKforms, and it seems to work ok although there's lots of room for improvement. One of my websites (not using CKforms though) has been savagely hacked the past year. It was so bad that I ended up wiping out the whole server, changing all passwords, and then reinstalling everything from scratch. Guess what, attacks continued, but this time I spend some money and I got the OSE anti-hacker http://www.opensource-excellence.com. It wasn't cheap by joomla-standards, but boy has this made a huge change.
I know writing components isn't easy, and we all should be extremely grateful that there are people out there devoting their time and knowledge into saving us time. There will always be vulnerabilities.
This is why OSE works like a charm for me: first, it has a pre_append feature, its php scripts run before anything else. So when someone tries a stunt like a sql injection their IP gets banned immediately. If they try something funky in the URL, their IP gets banned as well. I'm trying to convince the maker to do some counter-attack measures (such as responding to an attack with some really nasty, wrongly-formatted webpage that will mess up the attackers' session, ever tried sending a big jpg file with the wrong header? talk about nasty content LOL)
But we will see about that.
So, in practical terms, this should resolve any problems that a component has. In the case of CKforms, well, any potential attack is caught before it reaches the component, so it solves the problem.
If I run into any problems, I'll come here and let you guys know. So far, this solution works.

[Redshirt]

@cmatechno

as good as it sounds, if there is a flaw in a part of the code, this flaw needs to be found + fixed.

regardless of code you execute before it.