sawade Posted August 19, 2009 Share Posted August 19, 2009 Hello. I am testing a script to make sure it is capturing user IP addresses correctly, please use my email address in the email field (dontuwish2105 [at] yahoo [dot] com). https://www.medsolutionservices.com/secureforms/forms/demo/hipaaprivacy.php Is the form. The ownership file is on the main home page in the footer. OR - https://www.medsolutionservices.com/secureforms/phpfreaks.txt Thanks! Link to comment Share on other sites More sharing options...
darkfreaks Posted August 20, 2009 Share Posted August 20, 2009 Microsoft IIs5 NTLM authentication: a remote attacker could bypass this. Fix: upgrade IISv5 to IISV6 WebDav|TRACE|TRACK Enabled: attackers may use these methods to gain remote access to a script. FIx: disable these methods via server Link to comment Share on other sites More sharing options...
sawade Posted August 24, 2009 Author Share Posted August 24, 2009 WebDav|TRACE|TRACK Enabled: attackers may use these methods to gain remote access to a script. FIx: disable these methods via server How would I fix that? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 24, 2009 Share Posted August 24, 2009 login to the server and disable those methods on the php.ini file or use .htaccess to disable. Link to comment Share on other sites More sharing options...
sawade Posted August 25, 2009 Author Share Posted August 25, 2009 Thank you. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 25, 2009 Share Posted August 25, 2009 let me know when the server software is up to date and those methods have been disabled. so i can test again. Link to comment Share on other sites More sharing options...
sawade Posted August 25, 2009 Author Share Posted August 25, 2009 let me know when the server software is up to date and those methods have been disabled. so i can test again. Okay disabled Link to comment Share on other sites More sharing options...
darkfreaks Posted August 25, 2009 Share Posted August 25, 2009 think i may have tested the wrong site LOL you are running unix not Windows anyhow this is what i got Outdated Apache SSL: Fix: Update to SSL 2.8.19 or greater Cross Site Scripting(XSS): User can attack the script remotely and byass it completely or gain access. Unfiltered variables: fname,lname,ssn,mname,email,dobyr Fix: use strip_tags(), trim() to filter vars. Link to comment Share on other sites More sharing options...
sawade Posted August 25, 2009 Author Share Posted August 25, 2009 I don't know how I would update the ssl, it's not mine. Co-worker bought it. Fixed variables. For the XSS: When the site is finished and is moved, all form php files will be moved off of the public_html directory. Will that fix this? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 25, 2009 Share Posted August 25, 2009 properly filtering your php variables with strip_tags() and trim() should fix it if not most of it let me finish scanning and ill check ok? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 25, 2009 Share Posted August 25, 2009 CrOss Sure Scripting in Uri: Unfiltered variables: PHP_SELF,REQUEST_URI,SCRIPT_URL,SCRIT_URI Fix: filter with htmlspecialchars() Email adress found: Fix: Spam Proof Email and about your server stuff contact your web host and tell them to upgrade to SSL 3.0 since your paying for it or he is. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 25, 2009 Share Posted August 25, 2009 also rechecked your cross site scripting its getting alot better. went from 600 attacks to 200. so it isnt getting all of it. Check out: XSS function this might pick up the left over attacks. Link to comment Share on other sites More sharing options...
sawade Posted August 25, 2009 Author Share Posted August 25, 2009 Email adress found: Fix: Spam Proof Email Yeah I have that fixed. I am moving my smtp login info into a seperate file and placing it out of public directory. Thanks for the help. I will post again when I have updated. Link to comment Share on other sites More sharing options...
sawade Posted August 25, 2009 Author Share Posted August 25, 2009 also rechecked your cross site scripting its getting alot better. went from 600 attacks to 200. so it isnt getting all of it. Check out: XSS function this might pick up the left over attacks. Made some more updates. My list of these updates to make to my other forms is growing. LOL That's the point of all this though right. Trial and error. Getting it wrong is how we learn. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 25, 2009 Share Posted August 25, 2009 its all been fixed except for: Cross Site Scripting in URI: Affected file: demo.php Unfiltered variable(s): PHP_SELF,REQUEST_URI,SCRIPT_URL,SCRIPT_URI FIx: filter the variable Email Adress Found(3): Affected Files: demo.php,demo2.php,hipaaprivacy.php Link to comment Share on other sites More sharing options...
sawade Posted August 26, 2009 Author Share Posted August 26, 2009 its all been fixed except for: Cross Site Scripting in URI: Affected file: demo.php Unfiltered variable(s): PHP_SELF,REQUEST_URI,SCRIPT_URL,SCRIPT_URI FIx: filter the variable Email Adress Found(3): Affected Files: demo.php,demo2.php,hipaaprivacy.php Phew. That was a lot of code to go through. But it's all done. All variables filtered and all email addresses removed. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 26, 2009 Share Posted August 26, 2009 Email Adress Found(2): Affected Files: demo.php,demo2.php,hipaaprivacy.php ^ well at least you removed one adress Link to comment Share on other sites More sharing options...
sawade Posted August 27, 2009 Author Share Posted August 27, 2009 its all been fixed except for: Cross Site Scripting in URI: Affected file: demo.php Unfiltered variable(s): PHP_SELF,REQUEST_URI,SCRIPT_URL,SCRIPT_URI FIx: filter the variable Email Adress Found(3): Affected Files: demo.php,demo2.php,hipaaprivacy.php OKay, the only thing I could think of was that it is able to find the file where the email address were kept. SO - I moved the files with email addresses out of the public_html area and into a non accessible area. Ran my tests, and the forms still work fine. *fingers crossed* Link to comment Share on other sites More sharing options...
darkfreaks Posted August 28, 2009 Share Posted August 28, 2009 Backup Files: Backup files may contain script or resources attackers can use to prepare attacks with. Affected file: demo2.php Fix: Remove the backup file Broken Link: Causes the url to error. Affected: demo/function.implode Fix: remove link to this file or make it accessible. as for the email thing it got worse. i think rewriting spambots to your .htaccess file would help ward off this low level spam attack. Click here for example Link to comment Share on other sites More sharing options...
sawade Posted August 29, 2009 Author Share Posted August 29, 2009 hmmm... I don't know about the backup files. Couldn't find any. I am aware of the implode issue. I did some more tweaking of the htaccess. Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2009 Share Posted August 29, 2009 that didnt work however using a robots.txt file might work if you want to read up on how to implement it into your script but the following code will stop a directory from being accessed and stop bots. User-agent: * Disallow: /secureforms/forms/demo User-agent: Googlebot Disallow: / User-agent: googlebot-image Disallow: / User-agent: googlebot-mobile Disallow: / User-agent: MSNBot Disallow: / User-agent: Slurp Disallow: / User-agent: Teoma Disallow: / User-agent: twiceler Disallow: / User-agent: Gigabot Disallow: / User-agent: Scrubby Disallow: / User-agent: Robozilla Disallow: / User-agent: Nutch Disallow: / User-agent: ia_archiver Disallow: / User-agent: baiduspider Disallow: / User-agent: naverbot Disallow: / User-agent: yeti Disallow: / User-agent: yahoo-mmcrawler Disallow: / User-agent: psbot Disallow: / User-agent: asterias Disallow: / User-agent: yahoo-blogs/v3.9 Disallow: / User-agent: * Disallow: / Disallow: /cgi-bin/ Link to comment Share on other sites More sharing options...
sawade Posted August 29, 2009 Author Share Posted August 29, 2009 User-agent: * Disallow: /secureforms/forms/demo But won't that make it so the files in that directory won't show? Link to comment Share on other sites More sharing options...
darkfreaks Posted August 29, 2009 Share Posted August 29, 2009 it shouldnt? it just makes it not visible to automated programs. Link to comment Share on other sites More sharing options...
sawade Posted August 30, 2009 Author Share Posted August 30, 2009 Took the advice. Implemented a robots.txt file. Will probably put something in the meta tags as well. But it's the weekend, heeehee can wait for work to start again monday. Link to comment Share on other sites More sharing options...
darkfreaks Posted September 4, 2009 Share Posted September 4, 2009 nice you cleaned it up abit. however your file is still vunerable. try: User-agent: * Disallow: /secureforms/forms/demo/hipaaprivacy.php Link to comment Share on other sites More sharing options...
Recommended Posts