WebsiteBaker hacked

Hello,

well, some older modules have had security issues in the past which were used to break or manipulate a WB installation.

Most of those issues were due to a lack of sanitizing user inputs. Think of a module which offers a user form to register for a download or to search for something via the frontend. Depending on the server settings (e.g. magic quotes off) and a badly coded SQL query, one can inject it´s own code into the database query, which can then be used e.g. to update the admin password in the DB. Then you can login to the backend and do what ever you want to do, reset the password afterwards and leave again.

If the affected code is e.g. in the view.php file of such a module, the check if the WB_URL is defined does not help at all. Browse the site using WB, use the form to manipulate the DB and you are done.

Some other modules (e.g. WYSIWYG editor modules or image galleries) had some issues in the file handlers which allowed people to upload and execute files from outside, again by invoking a URL of the affected module and pass over some parameters.

Summary:
I do not want to unsettle anybody, but I also do not like statements like: "if WB is hacked, it is in 99.9999% through the server", which is simply not true. We have had issues with faulty external modules in the past and there is no guarantee, that modules listed on the Addons repository or AMASP are free of bugs which can be used to break into a WB installation. The same is true for the provider story.

Regards Christian