SitePoint Sponsor

User Tag List

Results 1 to 21 of 21

Thread: Security issues

  1. #1
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Security issues

    Hey everyone,
    I have some security issues, today i logged in my hosting account and i saw a file named xx.txt on my webroot, inside it there was 1 line saying hacked by xxx

    How is it possible? I have no file uploads on my website that allows file uploading to webroot, only to subfolders and even that only to authricated users which i allow..
    I got a contact us page which has a few text/select fields, is it possible that it is done from there? or is there anything else?

    Also what permissions should my webroot folder?

    Atm it has write only to myuser
    it has read/exec to myuser, ISUR_myuser and Users

    Hope some1 can help me
    Thanks.

  2. #2
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    For POST/GET stuff for example, should i always use these on them? is there anything else i should know?
    Code:
    $pageNum=stripslashes(strip_tags($_GET['page']));
    Is it even possible for users to upload a file via post/get while there's no even a file upload field?

  3. #3
    SitePoint Wizard wonshikee's Avatar
    Join Date
    Jan 2007
    Posts
    1,223
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Check who the owner of the file is. That can give you a clue as if it uploaded via PHP or another method.

    Also if you're using a 3rd party platform, make sure it's up to date on security patches.

  4. #4
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    too late to check for that already, i rushed to delete that file unfortunately...
    I dont use any 3rd party platforms, I changed my hosting password anyway
    Now i only need answer to the question above, is the code i shown is nessasry and are there any other things i should take in mind when using post/get

    Also is there any tool i can use to scan my website for security holes?

  5. #5
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,276
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    strip_tags would protect against XSS only, which wouldn't be how you got hacked. And stripslashes is only necessary if your PHP has magic quotes enabled, which it shouldn't, and in any case, stripslashes certainly wouldn't increase security.

    If you want to know how you got hacked, you'll have to get someone knowledgeable to do a full audit.

  6. #6
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hey i tried to search for magic quotes in phpinfo() function, i found these 3:
    magic_quotes_gpc On
    magic_quotes_runtime Off
    magic_quotes_sybase Off

    is it the first one that u talked about?

    Also, in some places in my script im using $_SERVER['PHP_SELF'], i saw some examples online that use it like that: htmlentities($_SERVER['PHP_SELF']), why is it nessasry?

  7. #7
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Another question regarding this matter, I keep some data about the site visitors in a database whenever someone is vising the website, i do it like that (at the beginning of every page)
    Code:
    mysql_query('INSERT INTO stats (IP, agent, lang, ref, visTime, currURL) VALUES ("'.$_SERVER['REMOTE_ADDR'].'", "'.$_SERVER['HTTP_USER_AGENT'].'", "'.$_SERVER['HTTP_ACCEPT_LANGUAGE'].'", "'.$refer.'", "'.time().'", "'.$_SERVER['REQUEST_URI'].'")');
    My question is are there any security holes here?

  8. #8
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,276
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    Yeah, there's definitely a SQL injection security hole there.

    You'll need to read and learn fast.

    http://php.net/manual/en/security.php
    http://www.sitepoint.com/php-security-blunders/
    http://shiflett.org/php-security.pdf

    Or take your site offline until you know security backwards and forwards.

  9. #9
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    Hi have you every ssh'ed into the server using an unsecure connection i.e. not using https, ssl, or openvpn or IPSEC VPN?

    Unsecured ssh sessions are very easy to hack.

    Steve
    ictus==""

  10. #10
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hey steve im always connecting to my host through HTTPS

    Jeff, I've read the lniks you gave, thanks, but still none of them talks about why $_SERVER stuff are dangerous?

  11. #11
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,276
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    A lot of those values are sent from the browser, and therefore are under the user's control. The user agent and accept language, for example.

  12. #12
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    So how can i make it save to my database in a more secure way?

    Also i read in one of the links you gave that its a good practice to keep all errors to a log file instead of displaying them directly to the screen, also so ill be able to see where errors are and fix them, i did it this way, errors does stop displaying on screen (i done one on purpose) but its not getting saved in log file..
    Code:
    ini_set('error_reporting', E_ALL);
    ini_set('display_errors','off');
    ini_set('log_errors', 1);
    ini_set('error_log', 'log.txt');

  13. #13
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hey guys anyone to answer my questons from post above?

    Also this question:
    Also, in some places in my script im using $_SERVER['PHP_SELF'], i saw some examples online that use it like that: htmlentities($_SERVER['PHP_SELF']), why is it nessasry?

  14. #14
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,276
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    So how can i make it save to my database in a more secure way?
    mysql_real_escape_string is sufficient. PDO prepared statements are better.

    ...not getting saved in log file...
    According to the PHP docs, runtime settings (with ini_set()) won't have any affect if the script has fatal errors, because the desired runtime action does not get executed.

    ...htmlentities($_SERVER['PHP_SELF']), why...
    Anytime you output a value to HTML, you need to escape any HTML special characters. In the case of a URL, that usually means ampersands.

  15. #15
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    @ulthane

    The header values that you are using directly should be cleaned first and then used. Prepared statements as @Jeff Mott recommends is a good way to escaped 'bad' values in the database, but you may be using the header values in other ways, such as sessions then you get into a number of other type of security vector attacks.

    The one article that @Jeff Mott recommended http://shiflett.org/php-security.pdf has very clear examples if you are especially not familiar with the types of security vector attacks that PHP apps tend to be vulnerable to if not treated correctly.

    Regards,
    Steve
    ictus==""

  16. #16
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    ok thank you guys i think i got it secured enough for now

  17. #17
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hmm well i had the settings i wrote above for a few days now and nothing gets written to the log file, did i really do it the right way?
    Code:
    ini_set('error_reporting', E_ALL);
    ini_set('display_errors','off');
    ini_set('log_errors', 1);
    ini_set('error_log', '/log.txt');
    also, do the ini_set accept absolute path or it must be relative?

  18. #18
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    no one knows how to save errors into log files ... ?

  19. #19
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,276
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    The code you posted in post #12 worked fine for me, provided the error was not a fatal error.

  20. #20
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    well i tried again, the error does gets hidden from the screen but its not getting written to my log file and i got no clue what im doing wrong... do the folder need to have write privilges? to the path need to be absolute / relative?

  21. #21
    SitePoint Evangelist
    Join Date
    Jun 2010
    Location
    Israel
    Posts
    523
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    changed to absolute path and it worked... >.<

    Got one more question, i got a conn.php file included in all of my pages, containing the code to connect to the DB, will it add anymore security if ill put it outside of the webroot? is it recommanded?

    Now how do i block the file from viewing when entering the URL in the browser?
    i treid an example with .htaacess online but it didnt work for me (again )

    Code:
    <Files logs.txt>
     Order allow,deny
     Deny from all
     Satisfy All
    </Files>


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •