widget Posted January 28, 2008 Share Posted January 28, 2008 I have a site at work that keeps being hacked. All they mainly manage to do it change the title attribute. Could someone please enlighten me as to how the hackers are getting in and what I can do to stop them. Here is the php code that pulls the meta data <? if (!empty($_GET)) { $page = $_GET['p']; } else { $page = 'home'; } $file = 'meta/' . $page . '.txt'; if(is_file($file)) { include($file); } else { include('home.txt'); } ?> Here is the php code to determine the page. <? if (!empty($_GET)) { $page = $_GET['p']; } else { $page = 'home'; } if ($page == "studentloginpage") { $file = 'studentloginpage.php'; } else { $file = $page.'.htm'; } if(is_file($file)) { include($file); } else { include('home.htm'); }?> Here is the php code that determines the page banner <div id="pageBanner"> <img src="images/<? if (($page == "home") || ($page == "home2") || ($page == "solutions") || ($page == "product") || ($page == "testimonials") || ($page == "gettingStarted") || ($page == "aboutus") || ($page == "contact")){ echo $page; } else { echo "generic"; }?>Banner.jpg" <?php echo $page ?> page banner" class="banner"></img> </div> <div id="content"><? if (!empty($_GET)) { $page = $_GET['p']; } else { $page = 'home'; } if ($page == "studentloginpage") { $file = 'studentloginpage.php'; } else { $file = $page.'.htm'; } if(is_file($file)) { include($file); } else { include('home.htm'); }?> Quote Link to comment Share on other sites More sharing options...
amites Posted January 28, 2008 Share Posted January 28, 2008 just to check, have you changed all the passwords to the server? Quote Link to comment Share on other sites More sharing options...
widget Posted January 28, 2008 Author Share Posted January 28, 2008 yep, password changed , the whole server has changed actually. Quote Link to comment Share on other sites More sharing options...
btherl Posted January 29, 2008 Share Posted January 29, 2008 What happens if someone sends a value like "../file" as $_GET['p'] ? Regarding changing the title, which part of the code are you talking about? Where is the title set? Is it the banner image? Quote Link to comment Share on other sites More sharing options...
kratsg Posted January 29, 2008 Share Posted January 29, 2008 Your main problem derives from this piece of coding: if (!empty($_GET)) { $page = $_GET['p']; } else { $page = 'home'; } The security flaw is that you have a false sense of security. You're only checking to see if the $_GET was null, (doesn't say anything about $_GET['p'] being null, just that the array of $_GET is null...) This means if $_GET['something_else'] was defined, $page would be set to null in actuality. What I would do is create an array of possible values you'd expect for $page, use an if(in_array()) to check to make sure it's valid, and die if it's not. The obvious reason for the security flaw is that you are including whatever the user says, so they can probably use some interesting hack to bypass it and change something with the title. Quote Link to comment Share on other sites More sharing options...
widget Posted January 29, 2008 Author Share Posted January 29, 2008 Regarding changing the title, which part of the code are you talking about? Where is the title set? Is it the banner image? The title comes from the meta tag include. There is no meta data hard coded on any page. Including the index.php file. After the site has been hacked the meta tag title has been hard coded into the index.php file but the included meta tag.txt file is untouched. oh god I hope that all makes sense lol Quote Link to comment Share on other sites More sharing options...
kratsg Posted January 29, 2008 Share Posted January 29, 2008 Regarding changing the title, which part of the code are you talking about? Where is the title set? Is it the banner image? The title comes from the meta tag include. There is no meta data hard coded on any page. Including the index.php file. After the site has been hacked the meta tag title has been hard coded into the index.php file but the included meta tag.txt file is untouched. oh god I hope that all makes sense lol That means direct FTP access, if I understand you correctly. The hackers manually change your file to include a new piece of coding (this meta tag)? Quote Link to comment Share on other sites More sharing options...
btherl Posted January 29, 2008 Share Posted January 29, 2008 So they are able to edit index.php? But all they do is change a meta tag? It seems like odd behaviour for a hacker. Is it someone you know? It doesn't necessarily require ftp access to do that. There could be many ways it's done. Can the potential hackers (probably a student I would guess) place files on the same server in some other location? Perhaps uploading via ftp, or submitting via a form elsewhere? If so, those files could be placed and then included by sending an appropriate $_GET['p'] argument. If that's the case, you can fix it by making a list of allowed $_GET['p'] values. This list can be stored in a separate file so you don't need to copy it everywhere. Then you can have your script display the default page if anything you don't recognize is requested. Quote Link to comment Share on other sites More sharing options...
legohead6 Posted January 29, 2008 Share Posted January 29, 2008 or there putting a piece of code in your page via a form that is opening the doc to edit, like fopen... what are your permissions on index? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.