SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SPF Lifer
    Join Date
    Apr 2000
    Posts
    299
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security Questions - Help

    Hi there,

    I have two questions.

    1) On another site that I run, I have an admin/admin.php section. Now, obviously this section requires a username and password. My friend tells me he can hack into it, but it will take time. I can understand that there might be a program out there that goes through every word and number combination, finally resulting in the correct password. How true is this? Wouldn't my host recognize something like this before it happened?

    2) I am currently revamping my site in a test directory. I.E. www.domain.com/test/. In CPanel, I made it so that this directory requires a username and password. My friend was able to see all the files in that directory without knowing the username or password. How is this done? Is there a program out there that can sift through content? He wasn't able to delete/edit anything, just view.

    Thanks in advance.

  2. #2
    Drupaler bronze trophy greg.harvey's Avatar
    Join Date
    Jul 2002
    Location
    London, UK
    Posts
    3,258
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1) There are password 'guessers' out there which work to varying degrees of success but it's pretty easy to devise a simple account locking mechanism to stop this kind of thing. Your main problem is that without an encrypted HTTP connection (SSL) then it would be possible (though unlikely) to 'hack' for anyone who knows what they're doing and (the tricky bit) had a means to get a machine between your home computer and the server. In that instance they could simply listen to traffic to and from your server via HTTP (or FTP or any other unencrypted connection you might make) and pull the data they wanted (e.g. passwords) from the unencrypted packets you're sending. No need to guess - you just gave them everything they need!

    SSL, if you deem it necessary, is a pretty good way to ensure your site's security as long as you're confident your code holds up and your hosting company is up to speed. It closes the final loophole, as it were, for most would-be hackers.

    All that said, I suspect your buddy is talking crap (no offence) and I think you should tell him to hack away! It would be an interesting test anyway. Assuming he's successful, he won't do anything too nasty if he's a friend. Frankly I don't think he'll manage. And in the grander scheme of things the reality is no one will probably ever bother to hack you ... there are much more tempting targets. As long as your hosting company has all the known issues covered (the easily exploitable ones), and they almost certainly will, no one will ever get past the initial automated vulnerabilities checks you see several times a day in your HTTP logs. So in other words, don't worry about it - you're not the Pentagon!

    By the way, your hosting company wouldn't notice someone successfully accessing your admin script unless it directly affected their systems in some way. And if they're good, then it won't be possible for a user to directly affect their systems in ANY way via a PHP script. So no, your hosting company wouldn't notice and you can't expect them to.

    2) Sounds like a problem with cPanel. It creates a .htaccess file and should have added a username and password pair to that file to protect the directory and its contents. If that isn't the case, for some reason cPanel hasn't written this .htaccess file correctly (or perhaps it has the wrong permissions). Are you sure you applied everything correctly? Go through the process again and see if it works second time. If the .htaccess file is in place and contains the correct information for Apache then there is no bypass for it - no 'special' browsing software that can get around it.

    G

  3. #3
    Drupaler bronze trophy greg.harvey's Avatar
    Join Date
    Jul 2002
    Location
    London, UK
    Posts
    3,258
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    BTW, this explains one way someone might be able to intercept your HTTP traffic:
    http://www.menandmice.com/9000/9211_dns_spoofing.html

    Of course, with SSL this doesn't matter because only the authentic, legitimate destination server (your web server) can 'unlock' the packet you sent so while someone else is still re-routing your traffic, it's useless to them. The point with SSL is the 'key' used to unlock the packets is only valid for the session, which is unlikely to be more than half an hour long, and even with a super computer it takes longer than half an hour to crack 128-bit encryption. So no one bothers.

  4. #4
    SitePoint Wizard silver trophybronze trophy asp_funda's Avatar
    Join Date
    Jun 2003
    Location
    ether
    Posts
    4,497
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Cool

    well, I would say that you should design your application in such a way so that after a number of failed attempts(say after 5 failures), the script would be rendered inaccessible for a specific period of time(depending on you, say for 5-6 hours or 12 hours). this would prevent it from automated bot attacks which will try to access the script by using random passwords to guess the right password.

    also, then there're the obvious SQL Injections, you should read up on them(if you don't know about them) and safe guard your application against them.
    Our lives teach us who we are.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Me - Photo Blog - Personal Blog - Dev Blog
    iG:Syntax Hiliter -- Colourize your code in WordPress!!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •