Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • October 20, 2016, 07:31:45 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Black box testing an OSS PHP CMS  (Read 4687 times)


  • Honorary Member
  • Joined in 2007
  • **
  • Posts: 116
  • ::41554D::
    • View Profile
    • DreamCycle Studios
    • Donate to Member
Black box testing an OSS PHP CMS
« on: July 07, 2010, 10:05:20 AM »
This question is geared more towards the e107 CMS, but it really applies to all CMS solutions.

I recently developed a website for my wife for her photography.

A few days ago it was hacked by a botnet intrusion. I luckily caught it within hours.


I pulled it down and nuked the install, and began the post-mortem of the logs. As I looked through all the logs I could see the site continuously being hammered by bots trying to find vulnerabilities. I was actually fortunate that the scripting was so focused on the specific task of turning the site into another botnet node to spread to other machines and send out spam that is did very little damage to any content. 

It was a sobering lesson in web security and what it is like out there in the wild. I highly recommend making sure you compress and save your website access logs and from time to time just skim through them looking at web activity, you can find other cool stuff like where people are coming from to download stuff from your site. I actually found some software reviews for some of my freeware I didn't know existed and found some people deep linking to images on my site that were simply pieces of the site navigation..

I guess for all the time I have been a user of the internet and web technologies I'm pretty naive..

So the next question is what to do with this information.

I know there are some simple steps I can take to lock down what php can do and change some of the CMS file names so the bots can't find them, because they seem to be using profiles to search for known exploits.

But beyond that I think I need to both increase my knowledge so I don't code up anything that lets the baddies in, but I can't know everything an OSS CMS is doing and while an automated solution can't catch everything it is a good place to start.

So I'm wondering if there is any OSS black box testing solution out there that people have used to at least test for the most obvious and common exploits?

'Behold! It is not over unknown seas but back over well-known years that your quest must go; back to the bright strange things of infancy and the quick sun-drenched glimpses of magic that old scenes brought to wide young eyes.'