Hack My Website

[-65536-]

Hello, I am developing a website that I am going to run on my desktop. I'm building this website so that a limited number of users can access some web apps I'm developing. I have pretty much competed the authentication code and I am almost ready to start building the content.

I was wondering if anyone is willing to look through my code and see if they can find any problems. Thanks!

You can download the files here: [Link removed temporarily. Please read post by Admin.]
The zip file contains my code, example database files, php config file, and lighttpd config file.

Info on the server
Router:
Virtual server port 443 tcp only
OS:
Windows 7 Ultimate x86
Auto updates enabled
Server:
lightTPD WLMP 1.4.26-1 (SSL)
Self signed SSL cert
Only listening on port 443
PHP:
5.3.3 VC9 x86 Non Thread Safe
Fastcgi listening on 127.0.0.1:521
WinCache 1.1
sqlite3 PDO

Every time a page loads:

Check to see if the IP has been banned

• Load an array of banned IPs from a RAM cache
• Check for IP, if the user is banned die()

Check to see if the IP is flooding

• Increment a counter on every page request
• If a single IP has more than 10000 requests in 1 hr add their IP to the ban list

Check to see if they have an authorized session

• Check session vars for auth=true

Try to log them in with a cookie

• Read username and key from cookie
• Compare key to sha256("static salt"+"hashed password"+"ip"+"username")
• If key matches set auth=true

Check for login POST data

• Compare hashedpass to sha256("random salt"+"password"+"username"+"admin rights"+"static salt");
• if key matches set auth=true

For both cookie and POST check this first

• Make sure there account has been initialized
• Make sure there account does not have a pending password reset
• Make sure there is no ban date attached to their account
• Make sure failed login attempts is less than 6
• If there was a failed login attempt increment the counter for that username
• Don't display any failure messages

[Dwere]

[*]Compare key to sha256("static salt"+"hashed password"+"ip"+"username")
[*]If key matches set auth=true[/list]

Just curious here... I'm not an expert at web design, or programming commands etc.
However... this is both a question and a suggestion, depending on the ANSWER to my question.
"if key matches set auth=true"
Should there be - or is it implied that there is? - a piece of code stating "if key doesn't mat set auth=false" or not?
Just curious.

[Monica]

I'm sorry, I temporarily removed the link for download for review to ensure the safety of other users. You may re-upload the file.

[IncandescentLight]

Well, on the software side just keep your software up-to-date. Outdated software will be open to attacks as they contain vulnerable code which can be exploited by attacks such as Buffer overflows, stack-based buffer overflows etc.

On another note, check that your PHP code is Buffer-overflow proof. From experience, just spamming in a login page may sometimes let you in as administrator. Look for XSS vulnerabilities in your site map and keep operations on the server-side as much as possible so the client will not be able to manipulate data.

[Defience]

Necro......