[BlueOnyx:05465] Re: Dealing with /admin URL 'hijacking

Stephanie Sullivan ses at aviaweb.com
Sat Sep 25 10:24:01 -05 2010 

I must not concur. That's not the worst thing. Picture this:

 

They break into my client's zencart, oscommerce or CC processor integrated
cms (as joomla and drupal have plugins/extensions and I have clients using
them). The get into the client's site and modify the CC credentials to
process using their bogus merchant account. Maybe they put a hack in to
steal their CC numbers. Now you have a security breach that has big legal
implications that you and/or your client have to legally disclose in the US.
You probably have clients screaming at you about bogus charges on their
card. Eventually the site is defaced and their tracks are covered by wiping
most of your database. 

 

Finally your client's reputation is damaged/destroyed and they are angry
with you and spread the word they got hacked on your platform damaging your
reputation, etc.

 

I would think it's far from the worst thing. Of course it may be worse if
you are the client than the hosting company.

 

                Thanks,

                                -Stephanie

 

 

From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] On
Behalf Of James Darbyshire
Sent: Saturday, September 25, 2010 10:30 AM
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:05461] Re: Dealing with /admin URL 'hijacking

 

I disagree. Certainly it is not best practise for any admin functions to be
accessible through a generic /admin url, but I would rather someone was
trying to attack my CMS than my Server admin panel, where they have much
higher security privileges than in my CMS.

Worst case they graffiti my pages and I have to restore to a backup.

If they get into my BO admin area they can royally screw with my server, and
it possibly would not be as obvious/easy to detect.

Regardless, it's no big deal.you just have to remember to change your BO
settings when the config gets overwritten.

Regards,

James Darbyshire

Sent from my Samsung DroidT

On 25/09/2010 11:54 PM, "Abdul Rashid Abdullah" <webmaster at muntada.com>
wrote:

Stephanie hit the nose on the target.  I would prefer to modify the CMS
rather than BlueOnyx.  When you migrate to a new system, you will deal with
the issue all over again.  It is best to change it upfront.

PLUS I am not sure who said something about BlueOnyx security and they
deleted it for that reason but I would say that it is FAR better to rename
the admin of a CMS as there is by far a higher likelihood of an exploit on
the CMS than on BlueOnyx coming into play.  Zen Cart as an example EXPLICTLY
encourages all of the users to rename to something unique and specifically
warns you if I am remembering correctly if you don't do it.  It is one of
their counter measures for not getting hacked.

Regards,

Rashid



On 9/24/10 7:08 AM, "Stephanie Sullivan" <ses at aviaweb.com> wrote:

> Jeff,
> 
> I've yet to meet a...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100925/7b89ef0f/attachment.html>

More information about the Blueonyx mailing list