Security issues

PHP
1

Hey everyone,
I have some security issues, today i logged in my hosting account and i saw a file named xx.txt on my webroot, inside it there was 1 line saying hacked by xxx

How is it possible? I have no file uploads on my website that allows file uploading to webroot, only to subfolders and even that only to authricated users which i allow…
I got a contact us page which has a few text/select fields, is it possible that it is done from there? or is there anything else?

Also what permissions should my webroot folder?

Atm it has write only to myuser
it has read/exec to myuser, ISUR_myuser and Users

Hope some1 can help me
Thanks.

2

For POST/GET stuff for example, should i always use these on them? is there anything else i should know?

$pageNum=stripslashes(strip_tags($_GET['page']));

Is it even possible for users to upload a file via post/get while there’s no even a file upload field?

3

Check who the owner of the file is. That can give you a clue as if it uploaded via PHP or another method.

Also if you’re using a 3rd party platform, make sure it’s up to date on security patches.

4

too late to check for that already, i rushed to delete that file unfortunately…
I dont use any 3rd party platforms, I changed my hosting password anyway
Now i only need answer to the question above, is the code i shown is nessasry and are there any other things i should take in mind when using post/get

Also is there any tool i can use to scan my website for security holes?

5

strip_tags would protect against XSS only, which wouldn’t be how you got hacked. And stripslashes is only necessary if your PHP has magic quotes enabled, which it shouldn’t, and in any case, stripslashes certainly wouldn’t increase security.

If you want to know how you got hacked, you’ll have to get someone knowledgeable to do a full audit.

6

hey i tried to search for magic quotes in phpinfo() function, i found these 3:
magic_quotes_gpc On
magic_quotes_runtime Off
magic_quotes_sybase Off

is it the first one that u talked about?

Also, in some places in my script im using $_SERVER[‘PHP_SELF’], i saw some examples online that use it like that: htmlentities($_SERVER[‘PHP_SELF’]), why is it nessasry?

7

Another question regarding this matter, I keep some data about the site visitors in a database whenever someone is vising the website, i do it like that (at the beginning of every page)

mysql_query('INSERT INTO stats (IP, agent, lang, ref, visTime, currURL) VALUES ("'.$_SERVER['REMOTE_ADDR'].'", "'.$_SERVER['HTTP_USER_AGENT'].'", "'.$_SERVER['HTTP_ACCEPT_LANGUAGE'].'", "'.$refer.'", "'.time().'", "'.$_SERVER['REQUEST_URI'].'")');

My question is are there any security holes here?

8

Yeah, there’s definitely a SQL injection security hole there.

You’ll need to read and learn fast.

http://php.net/manual/en/security.php

http://shiflett.org/php-security.pdf

Or take your site offline until you know security backwards and forwards.

9

Hi have you every ssh’ed into the server using an unsecure connection i.e. not using https, ssl, or openvpn or IPSEC VPN?

Unsecured ssh sessions are very easy to hack.

Steve

10

hey steve im always connecting to my host through HTTPS

Jeff, I’ve read the lniks you gave, thanks, but still none of them talks about why $_SERVER stuff are dangerous?

11

A lot of those values are sent from the browser, and therefore are under the user’s control. The user agent and accept language, for example.

12

So how can i make it save to my database in a more secure way?

Also i read in one of the links you gave that its a good practice to keep all errors to a log file instead of displaying them directly to the screen, also so ill be able to see where errors are and fix them, i did it this way, errors does stop displaying on screen (i done one on purpose) but its not getting saved in log file…

ini_set('error_reporting', E_ALL);
ini_set('display_errors','off');
ini_set('log_errors', 1);
ini_set('error_log', 'log.txt');
13

hey guys anyone to answer my questons from post above?

Also this question:

Also, in some places in my script im using $_SERVER[‘PHP_SELF’], i saw some examples online that use it like that: htmlentities($_SERVER[‘PHP_SELF’]), why is it nessasry?

14

So how can i make it save to my database in a more secure way?

mysql_real_escape_string is sufficient. [url=http://www.php.net/manual/en/book.pdo.php]PDO [url=http://www.php.net/manual/en/pdo.prepared-statements.php]prepared statements are better.

…not getting saved in log file…

According to the PHP docs, runtime settings (with ini_set()) won’t have any affect if the script has fatal errors, because the desired runtime action does not get executed.

…htmlentities($_SERVER[‘PHP_SELF’]), why…

Anytime you output a value to HTML, you need to escape any HTML special characters. In the case of a URL, that usually means ampersands.

15

@ulthane

The header values that you are using directly should be cleaned first and then used. Prepared statements as @Jeff Mott recommends is a good way to escaped ‘bad’ values in the database, but you may be using the header values in other ways, such as sessions then you get into a number of other type of security vector attacks.

The one article that @Jeff Mott recommended http://shiflett.org/php-security.pdf has very clear examples if you are especially not familiar with the types of security vector attacks that PHP apps tend to be vulnerable to if not treated correctly.

Regards,
Steve

16

ok thank you guys i think i got it secured enough for now :slight_smile:

17

hmm well i had the settings i wrote above for a few days now and nothing gets written to the log file, did i really do it the right way?

ini_set('error_reporting', E_ALL);
ini_set('display_errors','off');
ini_set('log_errors', 1);
ini_set('error_log', '/log.txt');

also, do the ini_set accept absolute path or it must be relative?

18

no one knows how to save errors into log files … ?

19

The code you posted in post #12 worked fine for me, provided the error was not a fatal error.

20

well i tried again, the error does gets hidden from the screen but its not getting written to my log file and i got no clue what im doing wrong… do the folder need to have write privilges? to the path need to be absolute / relative?