Jump to content

Recommended Posts

Basically there is not simple howto to stop your site from getting hacked. Tho not running a general web app is a good start since most of the hackers that attack php sites do it using google to find vulnerable version.

 

Simple list of things to stop php attacks.

 

Avoid putting variables in include/require statesments. Stops Remote and Local File Inclusions.

Don't put unsantized data into SQL statements.

Check any comment/user input systems don't allow users to inject php or html into your site. Converting "<" to > is an easy way to do it.

etc

 

Once your PHP is secure then you only need to worry about server applications like apache,ftp,ssh,bind,etc. There is a reason people get paid alot to do computer security.

the things about web development.. its NEVER 100% safe or secure.. or any kind of programming, you can always do your absolute best for the current threats, but eventually people find new ways in or whatever, with joomla and OTHER opensource applications, you basically are giving away tons of key details to your site..

 

for example, if you have joomla and so do I. I know all your table names and fields to select.. what tables to drop which would mean alot to you.. etc.. I could comb through my joomla and read every query and find out which query isn't being escaped correctly and then find your page that leads to that query and whatever, you know what I'm saying?

 

all you need to do.. store sensitive files away from your public directory so no user can get to it by simply browsing to it.. and then PUSH the data out with php..

 

secure all incoming data.. $_POST $_GET if its supposed to be an int.. just type cast it to int.. if string.. use mysql_real_escape_string

 

never do something like this:

<?php

  include($_GET['file']);

?>

 

do something more like

 

<?php

  include('includes/'.$_GET['file']);

?>

 

that way it could not possibly be evaluated as a external file since php will have ...../includes/http://whatever.com/jhgaa.php

 

and you will most likely get an error instead of XSS

 

never trust users on your site everything that comes from them process it until you're content..

 

use cookies for storing session ids and sessions for storing pass hashes usernames id numbers etc so that you keep all user specific or classified information on the server not in a cookie on the user's computer

never do something like this:

<?php

  include($_GET['file']);

?>

 

do something more like

 

<?php

  include('includes/'.$_GET['file']);

?>

 

1st example is vulnerable code to an RFI attack. As pointed out tho he got confused with XSS and RFI.

2nd example is vulnerable code to an LFI attack. $_GET['file'] can contain "../../../../../../../etc/password" and the file may well open and be displayed.

XSS is remote file inclusion..

 

and local file inclusion, how will the user KNOW what to include? but either way you probably should do something like

 

<?php

switch ($_GET['file']) {

  case '':

    $file = 'whatever';

  break;

  ... etc

}

include('include/$file');

?>

 

like most people do either way, but I don't see a point in protecting against 'LFI' if you're coding it yourself

 

 

Reason to avoid LFI even if you are coding it yourself is because there are people who go firing in all sorts of data in to post and get variables to see if they can get data. Thats how stuff gets hacked.

 

Also seems you need to read http://en.wikipedia.org/wiki/Cross-site_scripting

 

 

 

wow, I had it confused, someone told me thats what XSS was so I just called it XSS since then lol, but still, 'firing' all sorts of data is still a really long shot, if a shot at all, but most coders work around it either way, but obviously its a security risk, so, good catch backie

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.