An Out-of-Date CMS is No Match for a Skilled Intruder
Web Attack
© Lead Image © peshkov, 123RF.com
Scary things can happen if you don't keep your CMS up to date. We'll show you how an unpatched vulnerability can lead to privilege escalation and root access.
Pause for a moment and consider all the applications that are powering today's online services, and then step back to consider the attack surface that each one of them presents. In this article, I will look at how a security bug in an online application might allow an attacker to gain full access to the underlying Linux server running it. The prize, in this case, is that the attacker will acquire root access to the server.
The journey starts with a security bug in the application itself, which is an out-of-date version of the CMS Made Simple content management system (CMS). The bug allows an attacker, via a carefully crafted URL, to take advantage of a time-based SQL Injection (SQLi), which ultimately affects the database powering the application. The exploit doesn't even need a valid login.
The next step is to brute-force access to the underlying Linux system, via SSH, before then trying to achieve the final goal: becoming the superuser root, which allows an attacker to take over the system.
[...]
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome Working on Test Center App to Make Testing Easier
It's now possible to test experimental features on the Gnome desktop without worrying that you'll break things.
-
New Vulnerability Discovered in Linux Kernel
Hiding out for nearly 15 years, the Ghostlock vulnerability allows a standard logged-in user to gain root privileges.
-
New Linux Flaw Lets Attackers Escape VMs
A 16-year-old vulnerability allows an attacker to escape a virtual machine, gain access to the host, and execute malicious code.
-
Hannah Montana Linux Is Back!
Developer Noah Cagle decided the world needed the once obscure but beloved Linux distribution and gave it a decidedly pink refresh.
-
System76 Refreshes the Lemur Laptop
If you're looking for a laptop with tons of power and battery, look no further than the latest iteration of the System76 Lemur Pro.
-
More than 43 Million Lines of Code in Linux Kernel 7.2
Using the cloc utility, Michael Larabel of Phoronix discovered that Linux kernel 7.2 has over 43 million lines of code.
-
Kubuntu Focus Goes Ultra
The Kubuntu Focus team has upped the performance ante of its M2 and Zr laptops with the latest, greatest CPUs from Intel.
-
Linux Gamers May Soon See Less Mouse Lag in KDE Plasma
Gamers using KDE’s Plasma desktop have been suffering from a slight input delay in mouse movement that could lead to getting fragged.
-
Three Lines of Code Improve Linux Storage Performance
A developer changed three lines of code, giving Linux storage performance a 5% bump.
-
AUR Hit Again with Malicious Packages
Once again the Arch User Repository is plagued by a high volume of malicious packages.
