Need Website Security Critique

[beckerdt]

All you website security gurus I need a favor. I am fairly new to PHP/MySql and by no means an expert on securing websites. I am building a family website and have reached my first couple of milestones. What I want to do before I go any further is make sure that I do not have any major security holes in my website. I understand that this is a family website and the likelihood of my site getting hacked is remote, but I still don’t want to leave the front door open if you know what I mean.

 

Please take a look at my site located at http://beckerfamily1.com/testing and see if you can gain access using common hacking techniques. If you find a security hole please contact me ASAP at webmaster@beckerfamily1.com with the details. I will be very grateful. Thank you in advance for your assistance.

 

PS- For those that wish to do me harm this is a clean testing server on a secluded network you will not gain anything useful if you hack into it should you find a security hole.

 

[QuickOldCar]

As far as I could tell was pretty secure.

 

Able to use any email to register, but then couldn't activate or login because it was some bs email.

 

I already had this message from trying random GET requests and feared being banned.

 

The URL has been modified! Your IP Address: 74.97.81.93 has been recorded.

[beckerdt]

Thanks for the reply. I activated your account so you could test more if you like.

[QuickOldCar]

new page with guest rights was created

http://beckerfamily1.com/testing/index.php?id=27

 

Page Error

 

Sorry this page is no longer avalible. If you feel you have reached this page in error please contact the website administrator at webmaster-at-beckerfamily1.com

[beckerdt]

Once again thanks for the help. I need to clarify the error message you received. The reason you got that message is because the pages you created had not been approved for display. I will modify the message before proceeding with the build.

 

I'm also happy to see that the code you entered into the hack page did not execute. I spent a lot of time trying to find a way to keep that from happening. 

[cssfreakie]

I moved your topic to the beta testing area, could you add a proof of ownership on your server as required in the sticky? http://www.phpfreaks.com/forums/index.php?topic=232470.0

[beckerdt]

As requested I have placed at text file in the root directory of my domain. http://beckerfamily1.com/phpfreaks.txt

[beckerdt]

Could someone take a look at the security particularly URL security in the forum section of my site. I stopped using encryption when passing variables in the URL mainly to simplify the script and because encrypting and checking was getting tedious. In the forum section I started using preg match function to look for what is expected. This made the script much cleaner and less tedious but I am afraid that I may have sacrificed some security.

[Coreye]

Full Path Disclosure: (http://www.acunetix.com/vulnerabilities/Full-path-disclosure.htm)

http://beckerfamily1.com/testing/forum/topics.php?f[]

Warning: preg_match() expects parameter 2 to be string, array given in J:\www\www.beckerfamily1.com\testing\functions\functions.php on line 169

 

[beckerdt]

Thank you! This is very helpful. Can you recommend a method other than preg match or encrypting the URL that is secure. I thought of using sessions to pass everything but I think that might cause problems when it comes to setting and unsetting session variables.

[beckerdt]

I think I have come up with an alternative to preg match. I have changed the function to use ctype_digit(). I did a search on the internet for known issues with ctype_digit() and didn't find anything. I tested it on my website any it seems to be working.

[beckerdt]

To anyone starting out like me I want to share this presentation. I stumbled on it while searching the net for web design security. I learned a lot from this presentation.  http://darianpatrick.com/presentations/penn_uiconf_08/slides.html

[beckerdt]

To anyone starting out like me I want to share this presentation. I stumbled on it while searching the net for web development security. I learned a lot from this presentation.  http://darianpatrick.com/presentations/penn_uiconf_08/slides.html

 

This is also a huge resource. https://www.owasp.org/index.php/Main_Page

[beckerdt]

Still working on this same site. Have a quick question.

 

I'm trying to use preg_replace to strip out a section of code but I am have problems getting it to work right.

 

Code Example:

$str = '<p class="code">some string here</p>';

 

PHP I'm using:

$pattern = array();

$pattern[0] = '!<p class="code">!';

$pattern[1] = '!</p>!';

preg_replace($pattern,"", $str);

 

This strips out the code just as I want with the exception of the space between the p and class.

 

Returns:

some string here //notice the single space at the beginning.

 

I'm trying to get:

some string here //no space at the beginning.

 

I have been beating my head against the wall trying to find a solution. The reason I'm trying to strip it out in a chunk instead of breaking the preg_replace into pieces is because I don't want to change anything that may be in the string between the tags. Any ideas?

[QuickOldCar]

$str = preg_replace('/\s\s+/', ' ', $str);//trims space
$str = str_replace(array('  ','   ','    '), ' ', $str);//converts 2,3 and 4 spaces to one

[beckerdt]

Using var_dump() I tried my code on a clean page with no css and so on and the beginning space is missing so I am picking up that space from somewhere else. Thanks for the help

[teynon]

beckerdt. I posted a huge security flaw on your website last night. Did you read it / understand it?

[beckerdt]

teynon thanks for looking at my site. I see the two post you made. It looks like you entered some JavaScript that executed when the page loaded causing the site to behave oddly. I also appears that you were able to delete pages from the site without privileges. I'll admit you have me scratching my head. I really have no idea how you did that. 

 

The only way I can think of to keep that from happening is to strip out script tags with preg_replace or something like that.

 

where you stationed at? I'm at Ft bliss.

[teynon]

I have 2 weeks left at Ft. Bragg, NC before I ETS!

 

The javascript code I posted was just an example. If I wanted to, I could have had it include an external js file that would steal your cookie information and enable me to hijack your browsing session and possibly your username / password.

 

As for the deleting pages. I can edit and delete any page I want. Sorry for deleting the main page.. Heh... Your update form / delete form / input form is not being validated.

 

Put this on your local computer and you can modify the ID and do whatever you want to your data.

 

<html>
<head>
</head>
<body>
<form action="http://www.beckerfamily1.com/testing/includes/edit_page_processor.php" method="post">

<!--This is the ID of the page submitted-->

      	<input name="id" type="text" value="1" />

    <!--This is the ID of the user editing the page-->

    <!--<input name="user_id" type="hidden" value="" /> -->

    <input name="approved" type="text" value="yes" />     

    <br />

    <!--IF ADMIN SHOW PAGE OWNER-->

        <!--TITLE-->

    <h2 class="heading">Title:</h2>

    <input class="form_box_title" name="title" type="text" value="" size="30" maxlength="30" />

    <br /><br />

    <!--PAGE VISIBLE-->

    <div class="none"><!--This is to correct weird shit happening in IE-->

    <h2 class="heading">Page Visible:</h2> 

    <h2 class="heading">

    Yes: 

    <input name="visible" type="radio" value="yes"  />  

    No: 

    <input name="visible" type="radio" value="no"  /></h2>

    <br /></div><!--This is to correct weird shit happening in IE-->

    <!--ACCESS LEVEL-->

    <h2 class="heading">Access Level:<br /><span class="yellow">Guest</span> = Public<br /><span class="yellow">User</span> = Only registered users and admins can view.<br /><span class="yellow">Admin</span> = Only admins can view.</h2>

    <select name="access">

  <option value="" selected="selected"></option>      <option value="admin" >Admin</option>

      <option value="user" >User</option>

      <option value='guest"' >Guest</option>

    </select>     

    <br /><br />

    <!--MOVE PAGE POSITION-->

    <h2 class="heading">Move Page Position:<br />

    <!--INSTRUCTIONS-->

    <span class="yellow">Enter the number position that you want the page to be displayed in the navigation.</span></h2>

    <input class="form_box_number" name="position" type="text" size="4" maxlength="4" value="">

    <br /><br />

    <!--SUMMARY-->

    <h2 class="heading">Summary:</h2> 

    <textarea  name="summary" cols="68" rows="5"></textarea>      

    <br /><br />

    <!--CONTENT-->

    <h2 class="heading">Content:</h2> 

    <textarea  name="content" cols="68" rows="20"></textarea>

    <!--THE BUTTONS-->

     <div class="edit_btn">

     <br />

     <input class="button" name="edit_submit" type="submit" value="Save Page" />   

     <input class="button" name="delete_page" type="submit" onclick="return confirm('Are you sure you want to delete this page?');" value="Delete Page" />   

     <a href="index.php">Cancel</a>

     </div>      

</form>
</body>
</html>

[beckerdt]

thanks for the help looks like I'm going to go back to the drawing board with this.

 

good luck with your ets.

[teynon]

You don't need to go back to the drawing board, you just need to verify user credentials when they are posting a form submission. You also need to disallow html in your input title.

[beckerdt]

ok I think I have fixed the security flaw teynon pointed out by using strip_tags() on the title and removed the user_id from the form and placed it into the session for use after form submission.

[teynon]

Just tried it. I can still modify your pages. You need to verify when that form is submitted that the current user has rights to modify the page id.

[beckerdt]

@teynon - I bet you can't do it now! 

 

Thanks for the help.

[teynon]

True, however I now can not edit pages I do have authorization to either.