Jump to content


Photo

PHP Website security


  • Please log in to reply
7 replies to this topic

#1 maverick5x

maverick5x
  • Members
  • PipPip
  • Member
  • 18 posts

Posted 07 September 2006 - 08:20 PM

Hello,

I am an intermediate php developer working on small and meduim size applications. One of my clients complained that a hacker was able to hack the website and change the index page to "hacked by blah blah" which really annoyed me. So i thought he had an access to FTP account and added the index.html(which has the priority over index.php in the server configs) but the client keeps telling me that it's been done from my script.

I think i have two things in the application that makes it vulnerable:
1) No tag stripping is used but even though i dont think the hacker can do his attack through injecting html code.
2) i use index.php?p=main or index.php?p=orders where p stands for page contains the page it's going to view.

I edited the program filenames once and added a suffix of e.g orders.mywebsites.php
so if index.php?p=orders is requested the orders.mywebsite.php is included and executed.

The client also told me that there has been a file and that file makes a loop throught $_SESSION,$_POST,$_GET to see what the application is saving into these arrays.

I need to know how the hacker was able to add a new file called index.html into the main directory of the application through my program? The client is requesting an immediate solution. What am i going to do? Please help

#2 obsidian

obsidian
  • Staff Alumni
  • Advanced Member
  • 3,202 posts
  • LocationSeattle, WA

Posted 07 September 2006 - 08:26 PM

it wasn't necessarily done through your application. all you have to do is leave the hacker a resource by which he/she can gain access to your server. if you're not stripping tags, sometimes this can be done by inserting a simple javascript code snippet that will then hit a third party server and report information about your site. through a couple more steps, a user would then be able to fairly easily gain root access to your site. if you have any sort of file management set up in your CMS, the hacker wouldn't even have to gaine server access, but would simply need to create for himself an admin account to have full control over the site.

hope this helps some.
You can't win, you can't lose, you can't break even... you can't even get out of the game.

<?php
while (count($life->getQuestions()) > 0)
{   $life->study(); } ?>
  LINKS: PHP: Manual MySQL: Manual PostgreSQL: Manual (X)HTML: Validate It! CSS: A List Apart | IE bug fixes | Zen Garden | Validate It! JavaScript: Reference Cards RegEx: Everything RegEx

#3 maverick5x

maverick5x
  • Members
  • PipPip
  • Member
  • 18 posts

Posted 07 September 2006 - 08:42 PM

Hello,

Thanks for this.

Actually i think i can handle the first one by stripping tags but i dont think it's the second one, because the application is a company's website through which the clients can order products. Not an ecommerce because the orders are sent to the admin after the client approves the order then the product is shipped to the house and paid for.

So my application only handles the login/logout, placing and viewing orders and an admin panel that admins can view the orders through.

Simple application with a simple idea but i am really lost because i still dont know how to end this problem.

#4 obsidian

obsidian
  • Staff Alumni
  • Advanced Member
  • 3,202 posts
  • LocationSeattle, WA

Posted 07 September 2006 - 08:46 PM

if your login form was open to a javascript injection, it is possible that they were able to gain access to your database without too much difficulty, but that still doesn't answer your server access issue. maybe someone else has some more input.
You can't win, you can't lose, you can't break even... you can't even get out of the game.

<?php
while (count($life->getQuestions()) > 0)
{   $life->study(); } ?>
  LINKS: PHP: Manual MySQL: Manual PostgreSQL: Manual (X)HTML: Validate It! CSS: A List Apart | IE bug fixes | Zen Garden | Validate It! JavaScript: Reference Cards RegEx: Everything RegEx

#5 shoz

shoz
  • Staff Alumni
  • Advanced Member
  • 600 posts

Posted 07 September 2006 - 09:15 PM

2) i use index.php?p=main or index.php?p=orders where p stands for page contains the page it's going to view.

If you're not properly validating "p" then thats the most likely way the user was able to gain access. How are you validating "p"?

EDIT: Adding a suffix isn't enough.

#6 maverick5x

maverick5x
  • Members
  • PipPip
  • Member
  • 18 posts

Posted 08 September 2006 - 11:20 AM

Hello

The only way of validating is this suffix idea. But i decided to edit the whole application to run every script file on it's own so instead of index.php?p=profile i am calling profile.php. I think its better and more secure.



#7 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 08 September 2006 - 12:18 PM

there are several  other ways that I can think of. You could run the $p variable through a preg_match and then maybe use an in_array with an array of valid pages.

Good Luck,
Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#8 obsidian

obsidian
  • Staff Alumni
  • Advanced Member
  • 3,202 posts
  • LocationSeattle, WA

Posted 08 September 2006 - 12:21 PM

yes, as mentioned above, adding a suffix is never a valid way of including a file. you really need to do something like this where you can determine the possible pages ahead of time and default to a page of your choosing if anything else comes up:
<?php
$page = isset($_GET['p']) ? $_GET['p'] : '';
switch($page) {
  case "home":
    include("home.php");
    break;

  case "about":
    include("about.php");
    break;

  default:
    include("home.php");
}
?>

that's all it takes to assure that people aren't able to run different scripts through your include.
You can't win, you can't lose, you can't break even... you can't even get out of the game.

<?php
while (count($life->getQuestions()) > 0)
{   $life->study(); } ?>
  LINKS: PHP: Manual MySQL: Manual PostgreSQL: Manual (X)HTML: Validate It! CSS: A List Apart | IE bug fixes | Zen Garden | Validate It! JavaScript: Reference Cards RegEx: Everything RegEx




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users