My Sites Hacked

alirezaok

very bad happen

i made a cms and desgined some site with it but today one hacker groups hacked all of them! 🙁

the hacker group dosn't help me for find security problem in my script and also i could not

find it.
i descript my cms scripts and thanks for any one can help me :
i use of register_globals = Off

the cms has 2 section
1- visitor interface
2- admin interface

1- visitor interface

in visitor interface there is index.php. when it runs it include template/index.htm and then replace some keywords with the result that comes form database. then shows it.

2- admin interface /admin

in admin iterface there is a form for get username and password. then it send it to

phpselfpage page:

index.php:


session_start();
$username=addslashes($_REQUEST["username"]);
$password=md5(addslashes($_REQUEST["password"]));
if(isset($username) & isset($password)) {
require_once"../include/common.php";
$sql = mysql_query("SELECT password FROM user WHERE username = '$username'");
$fetch_em = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);
$username=stripslashes($username);
$password=stripslashes($password);

if($numrows != "0" & $password == $fetch_em["password"]) {
$validuser = 1;
session_start();
$_SESSION['username']=$username;
$_SESSION['password']=$password;
$_SESSION['validuser']=$validuser;
header("location: home.php");
exit();
}
}

if ($_SESSION['validuser']) {
unset($_SESSION['username']);
unset($_SESSION['password']);
$_SESSION = array();
session_destroy();
}

Here is HTML Form

common.php:

$DBhost = "localhost";
$DBuser = "USERNAME";
$DBpass = "PASSWORD";
$DBName = "cms";
$dbh = mysql_connect($DBhost,$DBuser,$DBpass) or die("Unable to connect to database");
mysql_query("SET NAMES utf8");
mysql_query("SET CHARACTER_SET utf8");
mysql_select_db("$DBName",$dbh) or die("Unable to select database $DBName");

home.php:

require_once"include/session.php";
require_once"../include/common.php";

some html links to other pages in admin area

session.php:

$expire_time=2500;
ini_set("session.gc_maxlifetime",$expire_time);
session_start();  	
if ($_SESSION['validuser']!=1) header("location: index.php");

all of pages in admin area include session.php that linked to them in home.php.
also there is a logout link to in index.php in home.php

the hacker can change some records that can change in admin area pages.

i am wating for answer
Thanks

sneakyimp

looks to me like your home.php page doesn't prevent anybody from accessing it. the first thing in there should be some code to make sure the user is actually logged in.

alirezaok

what i do? how does hacker access to this page? (because $validuser for him is 0 in session.php)

halojoy

in a couple of places,
shouldnt & be &&
for example

if(isset($username) & isset($password)) {

halojoy

also
when you make a header redirect
dont forget to make an exit; .. to make sure script will end alright

if ($_SESSION['validuser']!=1){
header("location: index.php"); 
exit;
}

renob

you should also put this at the top of pages that you dont want people using directly

if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {
    exit('Access Denied');
}

Or you can do it a redirect also like so:

if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {
    header("location: index.php");
exit; 
}

sneakyimp

what does that realpath stuff do??

renob

its like saying home/user/dir/dir/filename.php

alirezaok

can i save this in one file then include it to all pages?

kakki

you can make sure that everybody runs the first page only with

define( 'noHack', true )

in index.php

and then add to all included files

if ( ! defined( 'noHack' ) )
{
die ( 'no hack pls' );
}

kakki

now what about ftp-access,
can u upload sth and then set the setuid-bit?
i heard from a hack where somebody uploaded /bin/bash and then setuid-bit to "ftp"
and then called that with php-system to get ALL files in ALL web-folders ...

Weedpacket

From the usernotes in the [man]addslashes[/man] manual page:

unsafed
01-May-2005 03:23
addslashes does NOT make your input safe for use in a database query! It only escapes according to what PHP defines, not what your database driver defines. Any use of this function to escape strings for use in a database is likely an error - mysql_real_escape_string, pg_escape_string, etc, should be used depending on your underlying database as each database has different escaping requirements. In particular, MySQL wants \n, \r and \x1a escaped which addslashes does NOT do. Therefore relying on addslashes is not a good idea at all and may make your code vulnerable to security risks. I really don't see what this function is supposed to do.

Also (after a quick spot of searching through Google): http://shiflett.org/archive/184

alirezaok

http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html says mysql_real_escape_string is not safe

alirezaok

do u know mysql_real_escape_string is safe for utf8 encoding?