Jump to content

PHP Website security


maverick5x

Recommended Posts

Hello,

I am an intermediate php developer working on small and meduim size applications. One of my clients complained that a hacker was able to hack the website and change the index page to "hacked by blah blah" which really annoyed me. So i thought he had an access to FTP account and added the index.html(which has the priority over index.php in the server configs) but the client keeps telling me that it's been done from my script.

I think i have two things in the application that makes it vulnerable:
1) No tag stripping is used but even though i dont think the hacker can do his attack through injecting html code.
2) i use index.php?p=main or index.php?p=orders where p stands for page contains the page it's going to view.

I edited the program filenames once and added a suffix of e.g orders.mywebsites.php
so if index.php?p=orders is requested the orders.mywebsite.php is included and executed.

The client also told me that there has been a file and that file makes a loop throught $_SESSION,$_POST,$_GET to see what the application is saving into these arrays.

I need to know how the hacker was able to add a new file called index.html into the main directory of the application through my program? The client is requesting an immediate solution. What am i going to do? Please help
Link to comment
Share on other sites

it wasn't necessarily done [b]through[/b] your application. all you have to do is leave the hacker a resource by which he/she can gain access to your server. if you're not stripping tags, sometimes this can be done by inserting a simple javascript code snippet that will then hit a third party server and report information about your site. through a couple more steps, a user would then be able to fairly easily gain root access to your site. if you have any sort of file management set up in your CMS, the hacker wouldn't even have to gaine server access, but would simply need to create for himself an admin account to have full control over the site.

hope this helps some.
Link to comment
Share on other sites

Hello,

Thanks for this.

Actually i think i can handle the first one by stripping tags but i dont think it's the second one, because the application is a company's website through which the clients can order products. Not an ecommerce because the orders are sent to the admin after the client approves the order then the product is shipped to the house and paid for.

So my application only handles the login/logout, placing and viewing orders and an admin panel that admins can view the orders through.

Simple application with a simple idea but i am really lost because i still dont know how to end this problem.
Link to comment
Share on other sites

[quote=maverick5x]
2) i use index.php?p=main or index.php?p=orders where p stands for page contains the page it's going to view.
[/quote]
If you're not properly validating "p" then thats the most likely way the user was able to gain access. How are you validating "p"?

EDIT: Adding a suffix isn't enough.
Link to comment
Share on other sites

yes, as mentioned above, adding a suffix is never a valid way of including a file. you really need to do something like this where you can determine the possible pages ahead of time and default to a page of your choosing if anything else comes up:
[code]
<?php
$page = isset($_GET['p']) ? $_GET['p'] : '';
switch($page) {
  case "home":
    include("home.php");
    break;

  case "about":
    include("about.php");
    break;

  default:
    include("home.php");
}
?>
[/code]

that's all it takes to assure that people aren't able to run different scripts through your include.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.