Cutenews Alert!~ Your Site Might Be Hacked!

[gisellebebegirl 0]

Ok so i was going through my email inbox, and i received a very scary email from my old host, starszz.com saying of this really dangerous thing going around
with cutenews users.. ok let me summarize it

hackers somehow found a way to hack your site by accesing your search.php file on your cutenews directory
i googled into it, and there is a couple of Big sites that were hacked, and its adviced for you to delete

the search.php file of your cutenews directory immediately, i dont know how this can be done, but imjust warning you
i deleted my search.php file just in case!

this is the email i got:

We were recently alerted to a dangerous cutenews vulnerability that could leave your site open to being hacked.
All hostees are advised to immediately delete the search.php file from your cutenews directory.

This is a serious vulnerability and should be treated as top priority.

Please do it now.

This flaw is not restricted to StarsZZ. It affects all sites using cutenews.

If you have other fansites with other hosts, you should also remove the search.php file.

Please let me know if you have any questions or problems.

[somertonlord 0]

what are the chances my site will be hacked

[Bluebear 0]

Well I do actually need my search.php file, a lot. I see no reason why anyone would want to hack my page. I guess that I have to think about deleting it, but... nooo, not the search.php file! Argh...

[jlhaslip 4]

Cutenews will likely come along with a 'fix' before too long.
In the meantime, it might not be such a bad idea to drop the Search feature from your site. For security of your data and all of that...

Has anyone been to the Cutenews site to confirm this is a problem? and what versions of Cutenews is affected?
Might only be certain (older, unpatched) versions which are affected.

*EDIT*

Seems there is a simple enough fix for this one:

http://cutephp.com/forum/index.php?showtopic=25900




*runs off to fix his copy* bbl

[lemonwonder 0]

this is nice to know. Both that it was out and that there is a fix!!!

[Saint_Michael 3]

WOW!! I think the guys of cutenews need to update and design a new version of cutenews, but I am surprise that it took this long to find something wrong with cutee news, especially something as major as that.

[gisellebebegirl 0]

umm again follow through lmfao. according to some people at my old host, the guy who found that fix, started the project of fixing it, but did not, completely fix it, so you are still at risk.. because hackers can just search for your password, log in etc using that feature.. heres what i got from my old administrator.. im so comfused, i just changed the parts, like i was told here, and deleted the file, so its on my trashcan on my cpanel haha"We do not recommend our hostees to use this fix.It is easier to simply delete the file. Most fansites will not make use of the search function in any case.This particular file has had several previous vulnerabilities discovered.By removing the file entirely, you safeguard yourself from being open to any future vulnerabilites, and having to patch the file again, or risk being hacked.We were aware of the fix, but did not post it because we do not recommend it for our hostees.If you are not hosted here you are free to do as you wish, or as your current host suggests."

[jlhaslip 4]

Have you considered transferring your site to another flat-file system?
http://forums.xisto.com/no_longer_exists/

Or snews cms http://forums.xisto.com/no_longer_exists/ is a database system that run on php and mysql? Or Joomla?

There are other alternatives.

[gisellebebegirl 0]

Have you considered transferring your site to another flat-file system? http://forums.xisto.com/no_longer_exists/

Or snews cms http://forums.xisto.com/no_longer_exists/ is a database system that run on php and mysql? Or Joomla?

There are other alternatives.

anything as good or better than cutenews? i dont know. i already have over 200 "cutenews" posted for content for both Have-heart.net and chantelle paige international fansite, so i dont really want to re install anything, unless is absolutevely nesesary.. in the remote case that lets say cpanel got hacked.. would you [Xisto] be able to restore everything? like do you have backups, of the hosted website.. or is that the hostees responsability? if so.. how can i download some of my files as a backup? just my html_public or whatever it is called folder? [containing cutenews]

also, are cutenews, downloadable backups available? sorry for the endless questions (:

[BuffaloHelp 24]

Ack!!!This comes too late for me. One of my sites was hacked by someone who boasted himself as a hacker. Deleted all my articles and completely wiped all categories. However, I had my backup made and was able to recover...but still My site was "lost content" from Feb 23 ~ Feb 27. A simple rule of making CuteNews to manage only partially may have saved me from whole lot of trouble. That just goes to show me--not one thing should be the complete content management for a site. I had 1/3 in CuteNews, 1/3 custom script and 1/3 plain HTML.

[gisellebebegirl 0]

Ack!!!
This comes too late for me. One of my sites was hacked by someone who boasted himself as a hacker. Deleted all my articles and completely wiped all categories. However, I had my backup made and was able to recover...but still

My site was "lost content" from Feb 23 ~ Feb 27. A simple rule of making CuteNews to manage only partially may have saved me from whole lot of trouble. That just goes to show me--not one thing should be the complete content management for a site. I had 1/3 in CuteNews, 1/3 custom script and 1/3 plain HTML.

wow, so it is true.. i dont see how hackers choose what sites to completely destroy.. pathetic i think.. i mean your a Xisto administrator right???! ah.. please anyone whos reading tell me its not true, that the guy who started the Cutenews Project, completely abandoned it?!

also i tried my lilcomments or whatever, and the demo was down, unfortunately

if cutenews was abandoned by the owner, i hope someone takes over

[BuffaloHelp 24]

if cutenews was abandoned by the owner, i hope someone takes over

CuteNews, like any other scripts, are vulnerable when people are developing it from the ground up. That's why people pay to have scripts that are thoroughly tested. But even with paid scripts there's a constant updates and patches to be on the look out.

CuteNews have released the security measurement but I failed to check it on time. This forum, IP.Board, has alert notice section when a new or patch is available. Perhaps it's time for CuteNews to implement something similar.

The fault might have been on CuteNews for leaving such hacking potential but that fault is also shared by me not checking CuteNews' support forum on a regular basis.

And some clever guy just knowing how to manipulate this vulnerability has nothing to do with my position here at Xisto If I were to place a blame, it's Google or other search engines making it easy to search all sites with CuteNews interface without much effort.

[lemonwonder 0]

I will still be using cutenews. I will make sure to make login details for cutenews different than cpanel though, don't want them accessing the whole site now, do we? I don't really mind if they wipe the news, I can always just backup, and it is not 100% chance that it'l happen to me.

[BuffaloHelp 24]

lemonwonder,If you're not using SEARCH within your CuteNews, just delete the file. Otherwise go to CuteNew's support forum and edit the search.php file to countermeasure the security hole.

[lemonwonder 0]

Okay. I do not know whether cutenews search will be / is used so ill fix it. Thanks BuffaloHELP