php hacker ;[

Anon

i have recieved numorous threatening letters from an alleged "hacker" who says he can take down my site with a PHP exploit (either using exec() or sys()). he says he was going to hit my site when it reopens, and deface it with a php root attack. My Website is www.odsource.com, can somebody please go there and try to hack it, and tell me how to fix its security, if theres a hole?

--mark

brandonschnell

can't check the security if there isn't anything of substance there.

Anon

Check out this article on security issues of PHP:
http://softwaredev.earthweb.com/script/article/0,,12063_918141,00.html

Maybe it will help you to identify possible security holes in your site.

Jamie

[deleted]

Send the letters to the police, computer-crime-department, and inform your hacker that you have done so. Hacking and threatening to hack as a criminal offence.

How did you receive those letters? snailmail or email?

Anyway, there are tons of little things you can do to block that pathetic hacker.

Point one: he can't hack through system() or exec() unless you were 'foolish' enough to write code that uses GET or POST data in system() or exec() functions.

PS a PHP Root attack? flash talk from a prankster? have you had an argument with anybody lately?

Anon

Point one: he can't hack through system() or exec() unless you were 'foolish' enough to write code that uses GET or POST data in system() or exec() functions.

I noticed the new releases of php don't enable register-globals, to stop people doing this...

Other things to be aware of, are passing filenames in the querystring. I found one of our own clients sites used this, I type a few things, and could not only view the etc/password file, but and other file on the server, that I shouldn't have had access to. This was perl, but the same counts for php.

Anon

Maybe someone can explain this...? A quote from that article:

===
Indeed, imagine the following scenario:

$tempfile = "12345.tmp";

...

do something with $tempfile here

and some form processing

...

unlink ($tempfile);

Even if you handle $tempfile safely before unlinking it, the last statement is still very dangerous. An attacker can craft his or her own form containing a field similar to:

PHP will insert the field name in the global namespace as $tempfile, thus overwriting the original value of the variable. Later, we will consider a way to protect against this kind of attack by configuring PHP not to make external variables globally available.

Now I'd say that's safe, since $tempfile is set within the script, and therefore overwrites the post/get/cookie/session variable. Is that not correct?!

Anon

Another bit:

===
mysql_db_query ($DB, "SELECT something
FROM table

WHERE name=$username");

surely that wouldn't work without quotes anyway? and since php automatically escapes and quotes in there, they can't do anything funny with quotes in...??

[deleted]

Indeed, that is perfectly safe.

all POST and GET vars are registered BEFORE the script starts, so even if the hacker puts $tempfile into a POST or GET method, it will be overwritten by whatever YOU put in.

[deleted]

Indeed, a bad example.

And the theory behind it is also wrong.

PHP's database functions let you execute one query at a time.
SO if you use a query like:

SELECT * FROM table; DROP TABLE table

you simply get an error from your database, stating that there is a parse error near ';'

The guy that wrote that article needs to do some more research.

[deleted]

"The way PHP handles user-uploaded files can also be problematic. The reason for this is that PHP will define a global variable that has the same name as the file input tag in the submitted Web form. PHP will then create this file in a temporary directory and store the upload there, but it will not check whether the filename is valid. An attacker can craft his or her own form specifying the name of some other file and submit it. PHP will then process that other file, which may contain sensitive information. "

PHP creates a file with a temporary filename, the real filename is never used, it is just put in a var for reference.

The article is riddled with errors, so my advice would be to just ignore it.

Anon

That's what I was thinking. I don't think a single bit of it was right. Looks more like an uneducated paranoid wannabe programmer! 🙂

Anon

I'd go as far to say my 12 year old friends know more about php than the guy that wrote that article... 🙂

[deleted]

he does have a point about some things, but most of it is just plain wrong.

BTW there is a notice at the bottom that rectifies the mysql error, but why doesn't he just change the article?? sigh

Anon

hehe!! And he says that data should still be filtered! For filenames etc., yeh, but since apostrophies are escape'd anyway (probably needs something enabling, but mine is on by default), I think it's perfectly safe to use user strings in sql queries.

[deleted]

Indeed. You can put untreated quotes in the sql statement, but that will just trigger a parse error. Addslashes will make sure the string gets inputted as a string, and not interpreted as code.

Anon

The most common security mistake you can make is passing data around in forms that shouldn't be there.

There was an article on the reg the other day (www.theregister.co.uk) that said that you could solve the security issue presented by passing a SQL query in a GET method (i.e. postpended on an url like so: somepage.html?sql=insert+into+name+values('stan') (probably not a correct URL because we need to URLENCODE it, but you get the idea) by changing to a post method. (i.e. not visible as part of the URL).

But the problem here isn't HOW we're passing the query, it's that we're passing it period.

If what you want to do is insert the name, then the only thing the form should feed you is the name. Period. Not the column name, not the table name, not the database name.

the other common mistake is using an undefined variable to concatenate data on the end.

If we have a look like this:

for ($i=0;$i<$var;$i++){
$data.=$somefield[$i];
}

we need to have a line like this above it:

$data="";

or if (isset($data)) unset ($data);

to clear it.

In short, treat everything that comes from the user agent with suspicion, because even if they aren't trying to hack you, since TCP/IP and http do NOT have error checking in them to make sure the data that got transmitted was the correct data, you can't be sure of what you're getting.

Another common mistake is to put the data in a drop down, then refer to that.

I.e. let's say we do this:

select buildings from options:
result set:
"building a"
"building b"
"building c"

then we build a select box with it:

[select name=choice]
[option value="building a"]a[/option]
[option value="building b"]b[/option]
[option value="building c"]c[/option]
[/select]

Now, after receiving the data back from the form, we build a sql query from it like so:

insert into userdata (location) values ('$choice');

We are taking the data from the drop down, and inserting it right into the database.

This is just wrong on many levels, but many folks do it.

Better to do it this way:

select id, buildings from options;
1,"building a"
2,"building b"
3,"building c"

then our select box has options that look like this:

[option value=1]a[/option]

and so on.

Our insert is now changed to:

insert into userdata (location) values ($choice);

With a foreign key constraint on the userdata table's locate (now an integer, not a text field) pointing to the options table's id field, even if things go wrong, the worst that can happen is that the wrong building will get entered, not garbage or a non-existant building like "McDonald's Playland" or something.

So, in closing, always pass a REFERENCE to data you already have, not the data. It's much more likely to get corrupted if you're tossing the actual data around in forms when you don't need to.

Anon

thanks everyone; i have notified my host, and he is going to take care of it. Additionally, would it be smart to disable the system() and exec() functions in php.ini, or should i just not worry about those (i never code with those functions anyway).

Anon

my php add's slashes itself, I just stick variables in the sql. When I output to the page, any variable that came from an external source, I have to use stripslashes()!!

Anon

if you don't use them, you don't need to worry.

Some of the info in Scott's post is good, you should take note of it. You should never use text in select boxes! 🙁 (unless you're being lazy, and the option is just being emailed to someone, in which case it saves some work, and can't really mess up any database links).

Another thing people don't seem to do, is using keys. EVERY table I ever create will have a primary key (usually the table name _key), this way when editing/deleting stuff, you don't have to do silly queries that use the contents of the record. Sounds silly, but it does happen!!

[deleted]

Well, poo happens :-)

Does that auto-slash thing work with postgres/Oracle/Informix?