Hi. About 2 months ago one of my websites was defaced. Some kind of Base64 script was injected into one of my chronoforms. The hacker then managed to deface all of the other websites hosted on my account. This was of course a major problem for me even though i had backups.
Anyway, I am soon to launch a new project, which features a small chronoforms based front-end CMS and i am concerned about the security of my website. Can someone please offer some advice about how i can protect myself against hackers hacking my forms?
Thanks.
Anyway, I am soon to launch a new project, which features a small chronoforms based front-end CMS and i am concerned about the security of my website. Can someone please offer some advice about how i can protect myself against hackers hacking my forms?
Thanks.
Hi glens1234,
It looks as though this may be a case of 2 + 2 = 5.
Is there any evidence that the breach was through ChronoForms?
ChronoForms does contain some quite legitimate base64encoded code in a couple of files and we have known web-hosts leap upon this and edit or ban the files. This usually results in broken forms and doesn't fix the hacked site :-(
Bob
It looks as though this may be a case of 2 + 2 = 5.
Is there any evidence that the breach was through ChronoForms?
ChronoForms does contain some quite legitimate base64encoded code in a couple of files and we have known web-hosts leap upon this and edit or ban the files. This usually results in broken forms and doesn't fix the hacked site :-(
Bob
Hi. I can't say for sure if it was anything to do with chronoforms. However, the malicious script was found inside one of the chonoforms.php files ( i cant remember which one off the top of my head).
Anyway, i just need to make sure it doesn't happen again. Therefore i was wandering what security measures i can take in order to make my forms more secure.
Thanks
Anyway, i just need to make sure it doesn't happen again. Therefore i was wandering what security measures i can take in order to make my forms more secure.
Thanks
Hi glens1234,
Maybe, maybe not; it's more likely that they found the legitimate base64encoded stuff :-(
There's nothing that I know of about the ChronoForms fils that makes them any more or less risky than other Joomla! files. The only exception to this was an early version of CFv3 that used some ExcelWriter files from PEAR that had a potential risk.
There is an inherent risk with form that submitted data could do damage but again that doesn't particularly expose the ChronoForms files. You should take care that all data is properly validated and sanitised after submission.
Bob
Maybe, maybe not; it's more likely that they found the legitimate base64encoded stuff :-(
There's nothing that I know of about the ChronoForms fils that makes them any more or less risky than other Joomla! files. The only exception to this was an early version of CFv3 that used some ExcelWriter files from PEAR that had a potential risk.
There is an inherent risk with form that submitted data could do damage but again that doesn't particularly expose the ChronoForms files. You should take care that all data is properly validated and sanitised after submission.
Bob
Yes. i didn't really have any validation on the form and it was an old website with an old version of chronoforms and an old version of joomla so i guess there could be many reasons.
So should i do both server-side and client-side validation in addition to a capthca? Would this be enough or is there anything else i can try?
If so...could you point me to a tutorial about how to do the sever-side validation. I had a look for a tutorial about the auto sever-side validation feature but i couldn't find much info.
Once more thing while im here....
I have been trying to use the DB Multi Record Loader but when i try to view the results i am getting a "Warning: Invalid argument supplied for foreach() in ...../db_multi_record_loader/cfaction_db_multi_record_loader.php on line 74"
The data appears to be going into the database correctly. i have the DB Multi Record Loader "On Submit" and i have followed all of the instructions and made sure that my field names are correctly specified. Im not sure what else to look at.
Do you have any idea what the problem might be?
Thanks🙂
So should i do both server-side and client-side validation in addition to a capthca? Would this be enough or is there anything else i can try?
If so...could you point me to a tutorial about how to do the sever-side validation. I had a look for a tutorial about the auto sever-side validation feature but i couldn't find much info.
Once more thing while im here....
I have been trying to use the DB Multi Record Loader but when i try to view the results i am getting a "Warning: Invalid argument supplied for foreach() in ...../db_multi_record_loader/cfaction_db_multi_record_loader.php on line 74"
The data appears to be going into the database correctly. i have the DB Multi Record Loader "On Submit" and i have followed all of the instructions and made sure that my field names are correctly specified. Im not sure what else to look at.
Do you have any idea what the problem might be?
Thanks🙂
This topic is locked and no more replies can be posted.
