PHP Website Vulnerabilities

Discuss how to write good code, break bad code, your current pet projects, or the best way to approach novel problems

PHP Website Vulnerabilities

Post by rametta on Sun Feb 22, 2009 4:26 pm
([msg=18425]see PHP Website Vulnerabilities[/msg])

Hi,

I'm new to this forum and would like to learn as much as I can after my website got hacked and was used for illegal activities. I have a login page on my site that I designed in PHP and a few weeks ago I was notified that my website had been hacked and the permissions of my files on my server had all been changed. (not sure if that was done through php or not...)

Here's my question...What steps should I take in protecting my website from further hackings. I recently changed my login script, added encryption, max length, remove unwanted characters, etc.

Is there a chance this can happen again? and if so how can I prevent it? I'm new to PHP so I'm not sure if it was through my PHP form or another method. Thanks for your help!

Rametta
rametta
New User
New User
 
Posts: 3
Joined: Sun Feb 22, 2009 4:21 pm
Blog: View Blog (0)


Re: PHP Website Vulnerabilities

Post by sidebottom on Sun Feb 22, 2009 5:18 pm
([msg=18430]see Re: PHP Website Vulnerabilities[/msg])

Is there a chance this can happen again?


In short? Absofreakin'lutely.

Is it your server or one that you rent from something like web.com?

To protect yourself, try to write the most secure code possible. Know how you can be attacked so you can work to protect yourself from those attacks.

This link is a good start:
http://www.securityfocus.com/infocus/1864
sidebottom
Poster
Poster
 
Posts: 104
Joined: Fri Nov 21, 2008 12:09 am
Blog: View Blog (0)


Re: PHP Website Vulnerabilities

Post by rametta on Sun Feb 22, 2009 5:32 pm
([msg=18431]see Re: PHP Website Vulnerabilities[/msg])

Ya its a server I rent. I'm not even exactly sure how it happened. In the end there was a bunch of folders/files on my server, every file that existed had a random permission (some set as 777)

Trying to learn the most about PHP security to try and prevent this from happening again but if it was done through another programming language or through my server than I don't know what to do.

Thanks for the article link, i'll check it out!
rametta
New User
New User
 
Posts: 3
Joined: Sun Feb 22, 2009 4:21 pm
Blog: View Blog (0)


Re: PHP Website Vulnerabilities

Post by cen on Sun Feb 22, 2009 5:59 pm
([msg=18433]see Re: PHP Website Vulnerabilities[/msg])

I'm new to this forum and would like to learn as much as I can after my website got hacked and was used for illegal activities. I have a login page on my site that I designed in PHP and a few weeks ago I was notified that my website had been hacked and the permissions of my files on my server had all been changed. (not sure if that was done through php or not...)


I am also new, but have been programming most of my life and thought you might like to hear my thoughts...

Clearly, you now understand the importance of controlling your permissions. This is a VERY important fact. If you allow someone access to files, assume that they will get deleted/altered. Back it up, be prepared to put it back. If you can READ it, someone WILL copy/alter it. If you can modify/delete it, it WILL get destroyed etc...

Here's my question...What steps should I take in protecting my website from further hackings. I recently changed my login script, added encryption, max length, remove unwanted characters, etc.


To start, I'll sum it up with one abbreviation: SSL - If you don't know what this is, learn about it. If you don't know how to utilize it, learn how to.

If you're going to code your own designs and security is a factor, then you MUST learn to implement security into your code. Understand what SQL injections are and how to prevent them, same for XSS and other attacks like these. Watch your permissions, DON'T allow your default user on your database to have FULL access to your data, if you're reading data, then only use a user with read access, HIDE your errors!!! etc...

If you're using 3rd party packages, stay on top of them, SEARCH for ways to hack it yourself, this will help you to resolve the issues. Be prepared to learn languages/packages you don't know anything about...

The articles and forums on HackThisSite provide plenty of information to get started if you want, but the real heart of everything stems from the designers - W3C, Sun, Red Hat, Microsoft, etc...

You won't understand what's being said on this site anyways without a working knowledge of certain languages. Go to their sites and read FROM THE SOURCE how to utilize PHP, Javascript, MYSQL, etc... Then come back here and learn how to inject SQL code, why it's dangerous and how to stop it.

It's a long journey from the beginning though, don't think you'll understand it all in two weeks - Just to understand SQL injections, you likely have to be skilled in SQL, Javascript, HTML, PHP/ASP/CGI/Perl, and able to think outside the box. You should have a working knowledge of how software is 'likely' designed and what the query is doing and why it's even there...

You're already WELL on your way - PHP is a GREAT package to learn in my opinion, it's extremly powerful and enough like C to almost skip learning that completely... If you haven't combined it with MySQL yet, then GET ON THAT! ;)

Just to get started, you should AT least try to learn everything you can about:

The differences between browsers, Javascript, PHP, MySQL, ASP, CGI, HTML, XML, XHTML, DHTML, C/C++, Unix, Windows, CSS, Java, Perl, SQL, etc...

I've been using computers a VERY long time, and I still don't know all of these things (hell, I'm even completely ignorant to some of them, in fact and there are TONS more). Then again, I wouldn't call myself a 'hacker' either - I'm very good on computers, but there is always someone better - I have other interests besides hacking - Primarily I am a Business Application Designer. As a skilled programmer, it certainly gives me an edge on hacking, even if I don't actually 'hack', but I'm ALWAYS learning, it never ends.

Hacking is nothing more than 'hype' - The real enjoyment is a personal one, it's that feeling you get when you learn something cool and useful. If you don't get that feeling, then you're not getting what being a hacker is all about. A real hacker is competent enough to setup their own servers and hack into them without taking a stupid risk on a server someone else put so much effort into.

You're not dealing with a hacker, a REAL hacker has ethics, even if they did test their 'injection code' or whatever they did to your site, they would have looked around, maybe left a 'tiny note telling you about the security leak' then, silently leave. You're dealing with a script kiddie who still thinks that hacking into and defacing a site is cool.

Is there a chance this can happen again? and if so how can I prevent it? I'm new to PHP so I'm not sure if it was through my PHP form or another method. Thanks for your help!


Security is extremely complicated, and gets better with time and experience. There is ALWAYS a possibility that a security leak exists somewhere... Security isn't something you can 'just understand', you will ALWAYS be learning about it... It's not the destination, it's the journey... ;)

If you're concerned about your PHP, then I would begin learning and understanding SQL injections (if you're using SQL) or XSS (Cross Site Scripting) etc... If you're vulnerable, it's likely here - alter your code to compensate for the holes. The how to's for this are on the articles and forums on this site.

This link is AWESOME for understanding SQL Injections:

Or for XSS (sorry, don't know any "GOOD" sites for this), but hey - Google IS our friend:

Good luck...
User avatar
cen
Experienced User
Experienced User
 
Posts: 77
Joined: Mon Jun 30, 2008 1:06 pm
Blog: View Blog (0)


Re: PHP Website Vulnerabilities

Post by rametta on Sun Feb 22, 2009 7:27 pm
([msg=18442]see Re: PHP Website Vulnerabilities[/msg])

hey thanks a lot for the post. I think its going to help me a bunch.

At the start I wasn't too into security, which is probably why/how my website got hacked. But ever since it happened about a month ago i've been reading everything I can on PHP, Javascript, MySQL security. There's so much to learn, and when you finally implement a "new security feature" its only a matter of time before you figure out how to hack it yourself. It makes you think of new ways to protect your website.

I appreciate all your guys' help and article links. Thanks
rametta
New User
New User
 
Posts: 3
Joined: Sun Feb 22, 2009 4:21 pm
Blog: View Blog (0)



Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests