This question is answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 2 - Pages: 1 - Last Post: 02-Dec-2018 04:59 Last Post By: parametric Threads: [ Previous | Next ]
parametric

Posts: 11
Registered: 21-Sep-2012
My Website and linked JAlbum instance (12.7.2 - Java 1.8 32bit) got hacked
Posted: 24-Nov-2018 03:48
 
  Click to reply to this thread Reply
My Domainhost admin, who is currently repairing the damage remarked . . .

"The gallery seems to have a security loophole. It is not database driven..or at least not MySQL so I assume it is using a cgi database and that presents a massive security risk. CGI is a script and can easily be hacked. If you have a user name and password for logging into the gallery online, definitely change that now. "

Any observations on this?

I'm very happy with JAlbum version 12, and really need no more than it offers, but perhaps security is improved in the next version?

ATB

parametric
jGromit

Posts: 7,638
Registered: 31-Jan-2006
Re: My Website and linked JAlbum instance (12.7.2 - Java 1.8 32bit) got hacked
Posted: 24-Nov-2018 06:09   in response to: parametric in response to: parametric
 
  Click to reply to this thread Reply
Your host admin is blowing smoke. There is no CGI in a jAlbum-produced gallery - it's not database driven. In fact, there's no server-side processing in such a gallery at all - it consists solely of HTML, CSS, and Javascript, all of which are simply passed to the visitor's PC, where the only "processing" takes place. Nothing is passed back to the server.

A jAlbum gallery is not directly hackable. It can be affected only if a hacker gains access to your host by some other means, like hacking your PC or your cPanel account. The album itself has no pathway for a hacker to exploit.
parametric

Posts: 11
Registered: 21-Sep-2012
Re: My Website and linked JAlbum instance (12.7.2 - Java 1.8 32bit) got hacked
Posted: 02-Dec-2018 04:59   in response to: jGromit in response to: jGromit
 
  Click to reply to this thread Reply
Thanks JG . . . .

That's good to know. JAlbum has obviously been WELL DESIGNED from the ground up.

It seems its been got at in the public_html folder, via the CPanel Admin login.

My logins have been altered and I'm about to add 2-step authentification, via my Phone - which should stop this happening . .

Sorry for the late reply, but thanks for your confirmation . . . .

ATB

parametric
Legend
Forum admins
Helpful Answer
Correct Answer

Point your RSS reader here for a feed of the latest messages in all forums