X3Photo Gallery Forums

Haider of Sweden wrote:Would this mean a risk to inject infected PHP files somehow?

It is not possible to upload PHP files from the X3 panel, but I would not claim there is NO risk. Depending on how well your server is configured, it might be possible to exploit server with a JPG file upload, especially if they have access to edit the .htaccess file. Even if they can't upload PHP, they can seriously mess up your X3 website of course. Preventing hackers from logging in to panel in the first place should be #1 priority.

Keep in mind, if your website DOES get hacked, you might not even notice at first. Unless your website is political, hackers don't really care about "making a mess" or writing "you were hacked [credit line goes here]" any longer. It is more usual to exploit the website as a "link-farm" and/or for SEO/Spam purposes, with hidden links/pages, which will eventually damage your website reputation and credibility.

Tips:

1. Rename your X3 /panel directory
The most effective line of defense is to simply rename your /panel, for example to /myxyzpanel. The X3 updater will even work nicely as long as the directory name ends with "*panel". Most hacks are achieved by hackers (robots and humans) hammering on "known" login links (for example wordpress uses "wp-login.php"). Robot hackers are constantly checking URL's on your website for "known" backdoor login URL's. If found, they will start hammering on the door until they break it open by "brute force attacks". What if they can't find the door? Realistically speaking, this is incredibly effective.

2. Cloudflare
I'm a fan of Cloudflare myself as a level of "outer" security. Cloudflare uses a "reputation" system to identify threats from IP's, and will recognize bad bots based on their activity, preventing them from reaching your server in the first place. It will also blocks almost all "known" exploits, although this may require the paid version with "WAF - web application firewall". You can even set a max security level for login url [screenshot].

3. Allow panel access by specific IP or device
There is an example file already in /panel/disable.htaccess (rename to .htaccess), which shows how you can allow only a specific IP or IP range to login to panel. Highly effective, but if your IP changes (as it mostly does), you will have to keep updating this file by FTP to match your IP. You could also use an IP range, for example to allow login only from a singe ISP provider or country. You could also use this method to ONLY allow login for a specific browser/version, something I have done earlier. Very effective protection, but sometimes impractical to manage.

4. Use a strong password

Haider of Sweden wrote:Let us assume I have a very weak password and someone manages to get inside the panel.

Unless you are using any of the suggestions above, there simply isn't any excuse these days to use weak passwords for logins that need to be secure. You can find loads of apps/extensions that will create strong passwords for you and save (also across devices).


I wrote a long reply because I want to eventually turn this into a post in our new X3 docs section.

Haider of Sweden wrote:You are talking about two things; X3 itself and the server configuration. As for the server configuration, I'll have to investigate whether the htaccess file security is weak or not.

Not sure where I have mentioned the server configuration ... My entire reply above, including the four suggestions are 100% related to the PANEL, and how to protect it..

Haider of Sweden wrote:But to exploit it and use JPG for example, this brings us to the X3 Panel.

Indeed it does. ALL my suggestions are about panel security and protection. If your panel is accessed by an unwelcome user, your server is at risk, I can't guarantee anything else. Therefore, it should be TOP priority for you to protect your PANEL, including setting a STRONG password.

Haider of Sweden wrote:What are the risks of a weak panel password?

If you use any of my other THREE suggestions from above, then the risk is MINIMAL. But why set a weak panel password anyway? It is HEALTHY to be paranoid about your panel login.

Haider of Sweden wrote:If the htaccess is secure, you wont be able to upload anything harmful anyway, would you?

I am not sure where you get this idea about the htaccess file. The htaccess file has almost nothing do with security. If a user gets access to your panel, they can upload files, create folders, and create havoc, REGARDLESS of the htaccess file.

Your question is basically equivalent to asking:
"I forgot to lock the door to my house, but I locked the drawer where the money is hidden. Is my money safe?"
The answer is no.

Haider of Sweden wrote:Reason for my question is that a server where X3 is hosted got hacked. I have a feeling X3 was NOT the cause (ie weak password), but I ask anyway to be sure if I might have missed anything.

Well "got hacked" is a bit vague ... What did they do? Any other apps stored on the server?

Even if it was hacked through X3, that is of course only possible through the panel. Even then, it is doubtful (but not impossible) that they can hack anything on the server OUTSIDE the X3 content directory.

All in all, if anyone gets access to your CMS, your website can get hacked. Same with Wordpress and any other CMS of course. Thus, you should follow my suggestions above AND use a strong login. Logins can get intercepted if a hacker wants to get access.

Renaming the panel folder is a cool trick. Thanks for that. May I mention, you may want to edit the robots.txt file with the new name of your panel if you do this? Thanks.

tomrock wrote:May I mention, you may want to edit the robots.txt file with the new name of your panel if you do this?

I was gonna say that would be a good idea, but it occurred to me that would allow hackers to find out your panel URL by loading /robots.txt in their browser. It's not really necessary to update this, as it's just there to tell search engines to ignore /panel/. If you rename your panel, there is no way a search engine can find your panel anyway  :slight_smile: 

mjau-mjau wrote:

tomrock wrote:May I mention, you may want to edit the robots.txt file with the new name of your panel if you do this?

I was gonna say that would be a good idea, but it occurred to me that would allow hackers to find out your panel URL by loading /robots.txt in their browser. It's not really necessary to update this, as it's just there to tell search engines to ignore /panel/. If you rename your panel, there is no way a search engine can find your panel anyway  :slight_smile: 

I didn't think of that. Excuse me while I go edit my robots.txt back to how it was :-)