I am creating a website that is using a perl script, PHP, a MySQL database, and HTML. My main concern is making sure there is not anyway someone can gain access to anything that give them access to my information. I mean is there anyway for someone to get my perl script and see my database information. I know about sql injection but I have no forms for information to be entered into. Is there anything I should keep in mind with this stuff.
is there anyway for someone to get my perl script and see my database information
This will only happen when the webserver doesn't parse/process the script and returns it as plaintext. Usually this parsing/processing only happens on specific file extensions like .pl for perl files and .php for PHP files. If you (or the hacker) renames it to .txt, the client will be able to obtain the entire script as plaintext. Nevertheless, if a hacker is able to rename it, it has access to the whole script anyway. This would then be done by a security hole in FTP or CMS.
Further, I've seen scripts which reads files (usually images or other static files) from (outside) the webapp context based on the path as a parameter. E.g. download.php?filename.ext If such a script doesn't do any sanity checks on the file path, a smart hacker may be able to obtain scripts as plaintext by download.php?%2Fserver%2Fhtdocs%2Fscript.php.
The breadth of this question is kind of overwhelming, but it's a great question and definitely important.
Much of the issues you are going to have with your server can be tied to server access itself, make sure you don't use any software you don't need. If you don't need a name server, turn off bind; same goes for ftp, even sendmail if you can. Use strong passwords and alternate ports if possible.
For PHP, see http://us3.php.net/manual/en/security.php and http://php-ids.org/; definitely use mysql_real_escape_string() and htmlentities().
For HTML/PHP/JS, see http://en.wikipedia.org/wiki/Cross-site_scripting
There is a lot to think about. I'd recommend trying to find a mentor to help you figure out what is important. I'm mentoring a guy right now and it helps him a lot even if I'm not perfect. SO can help, but a person you trust who can look at how you do things can make recommendations you just won't get here unless you post your entire code base.
Use placeholders for SQL, even PHP supports it.
Escape your output. Your templating system may help here.
Use cgi-bin directory. It really helps to protect accidental leaks. It is easy to make URLs without cgi-bin.
In Perl use taint mode, in PHP use hardened PHP.
Web application security is a big topic. However, you know about one of the biggest vulnerabilities out there, SQL Injection, so that's a good start.
A couple other big ones are Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF - "See-Surf")
XSS - http://en.wikipedia.org/wiki/Cross-site_scripting
CSRF - http://en.wikipedia.org/wiki/Csrf
As usual Wikipedia provides a good intro.
You may also want to look in to verifying request authenticity by using an HMAC
http://en.wikipedia.org/wiki/HMAC
Never ever trust any user input in any form.. Ever :)
The hard part is figuring out all the ways a user can supply input to your site..
Related
I know securing any website is a very tough and broad topic to be discussed upon but i want to relate this question to my specific website which i've been working on. It was coded in php by some other programmer around 2004 and i am responsible for it's management. My problem is it's being hacked time and again. I have noticed following things when it's been hacked.
.htaccess file has been modified
index.php and config.php files were modified
Admin password has been changed
Uploading files in server
changing file permission of files and folders
I have worked on the code, it has been properly escaped and i think there is no probability of sql injection. Since most of the problem is related to files and permission i have a doubt about the server security but due to the reason that it was coded around 2004 surely it will lack some security, so what other things do i need work upon in my code to prevent my site being hacked for above mentioned problems?
Thanks in advance.
Since files have been modified, this is unlikely due to SQL injection bugs.
Possibilities to get to the files:
Guess/steal your FTP password
Hack the server (you can't really do anything about that)
Insufficient isolation on the server, meaning other customers can change your files (you can't really do anything about that either)
Remote code execution bugs
Now since you say the website is from 2004, it could be that it uses eval for templating or include for things like site.php?section=foo and then include foo.php in the code somewhere which were both done frequently back in 2004. So I'd do a quick file search for eval and the regex include(.*\$.*) as well as require(.*\$.*). Those are prime suspects depending on how they were used.
Someone probably has direct access to the server, rather than to (a) script(s) in particular. This doesn't sound like a security issue having its origin in the codebase.
You might wanna consider moving the entire site to another provider if this has happened time and time again. Start over somewhere else, with fresh passwords, access control, etc.
OWASP top 10 is very good read. Some guesses of mine.
outdated OS which has vulnerabilities.
MySQL injection and maybe all password stored in plain-text which is very very bad. For authentication you should be using something like openID instead. Also when you have MySQL-injection you should pronto update code to use PDO(prepared statements) if possible.
read/write permissions not set properly or APACHE/PHP running at elevated level?
My advice to you is:
read up on information on OWASP. Then cleary look for flaws in your code. Every line could be source off problem. Maybe you should ditch old code, because very insecure?
reinstall your OS, because you could have a rootkit even?
Never use just shared hosting, use at least managed servers / keep the system up to date
Check your php.ini for security issues (that you can google)
Check your Apache/Nginx/... configs for overrides
Never communicate unencrypted with the server (use SFTP, SSH, ...)
Never trust external values (also from Cookies), always escape/cast those
Filter user input (remove line breaks, 0x00 characters, tags, ... where undesired)
Check all possibly existing user accounts for the server/database/...
Check if all services run as the correct user
Check file (write/execute) permissions in your web folders
Escape everything you show on the website, do not even trust your database data to be safe in any way
If you use 3rd party software, look out for security advisories
re-install the server, you might have been rooted
Use prepared statements
That's it;) This will enhance your security a lot, but experienced attackers are tough.
Let's say I have a website where
PHP 5.3 is installed
every output is htmlspecialchars()ed.
PDO and prepared statements are the only way to interact with the database
error_reporting() is off
every request is passed to index.php (front controller) and no direct file access is allowed except for index.php via .htaccess
every input is properly escaped (why should I? i use Prepared statements, how could an user input mess up with my code?)
there's no use of evil()
Is it considered safe? What other things could be fixed to improve security? How could you attack it? Hack it? PHP/Server side is possible to improve security?
Check this page : PHP Security Guide. Most attacks are documented. If after implementing these security checks, you're still hacked, there are high chances that the problem doesn't come from your PHP application.
By the way, as #Jacco stated, there is some wrong stuff on the article I linked to.
Use prepared statements instead of mysql_real_escape_string(), but you already did that.
About salting, follow this answer instead : https://stackoverflow.com/a/401684/851498
Finally, checking ['type'] (for file upload) is unsafe since a malicious user can change this value. Instead, see the suggested solution of this link : http://www.acunetix.com/websitesecurity/upload-forms-threat.htm
I remember when I started web developing, I read allot about sanitizing data, creating numerous mysql users with a subset of permissions for specific queries, etc.
It gets you in the mindset of treating security with code, not with the operating system.
What use is all of this if you connect to your console with telnet, or use ftp with authentication?
I guess I should cut to the point. I think modern open source technologies such as php mysql etc have build up allot of security features, which gave me a false sense of security.
The damage you can do through these technologies is negligible compared to hacking into console with a brute force attack. If I were you I would worry much more about geting a proper firewal and only allowing port 80 or the bare minimum of ports you need. If you enable console access I would only allow your desktop IP... etc.
and make sure if you ever send a password, that it is encrypted through ssl
There is no absolute security guarantee, you can add the following to the answers above:
If you allow file uploads, make sure you do mime checking;
Make sure the public cannot upload an unlimited amount of files to
overload and eventually kill your server;
If you own the server make sure there are no other weak gates to your site, you can spend millions making your site bulletproof to any type of attack, but if someone gains access to it through another website hosted on the same server, you're out of luck;
Use a vulnerability scanner like acunetix, skipfish;
If you own the server make sure you stay up to date with the versions of the software running on your server (PHP/Apache/MySQL). Subscribe to get updates from the vendors;
If the budget allows it, you could offer a bounty to someone to find a security hole in a DEV release of your code;
Use a product like the following: https://www.cloudflare.com/features-security
security is a major concern for any product and it can not be achieved by some finger count policies but they are important so everywhere in the code think the negative possibilities and work against them to prevent them.
other thing you have to do
store sensitive data in encrypted formate in db
clean XSS every user input data
It is important to note that "safe" is a context-based term. It highly depends on your needs, and there are companies out there (I'm looking at you Google) who will not even consider installing PHP at all.
If you are working at a big company, I would recommend hiring the services of professionals.I heard from a friend that this company does sec checkups for all the big companies, which seems likely since they are the people that distribute Kali Linux.
https://www.offensive-security.com/offensive-security-solutions/penetration-testing-services/
There can be multiple other issues as well, such as session problems, sensitive information enumeration, authorization and authentication issues, and lot more. Issues like business logic bypass can not be resolved by traditional secure coding guidelines. However, looking at PHP Security Cheat Sheet and OWASP PHP Security Project would be a great help to understand the big picture of security issues.
You can learn more about exploiting PHP security issues and related attack techniques by solving the PHP security challenges by RIPSTech (https://www.ripstech.com/php-security-calendar-2017/) or by reading their writeups of real-world vulnerabilities found in popular PHP apps (https://www.ripstech.com/security-vulnerability-database/)
I'm currently building a website, using PHP, and looking into securing the website fully. Currently, and in the future, I don't plan on using SQL, or even user-submitted input anywhere on the website - the PHP pages are basically simply in place for ease in piecing together several different HTML fragments to create a full page, using requires.
What type of vulnerabilities, if any, should I be aware of to protect against?
There are no vulnerabilities in the situation you've outlined.
If you are using any query string variables to load pages, they may need to be secured. For example: article.php?page=php-page-security.
Otherwise just make sure that your server software is updated regularly to the latest versions, and access to the web server is properly secured. It sounds like your code is pretty basic and you aren't doing any processing in PHP, so you should be fine.
This is a huge topic that can't be answered in a single post. Some tips:
Secure physical access to your web server (your hosting provider should handle this)
Minimize remote access to the server. Setup a firewall, use proper passwords, regularly run updates
Secure your code (PHP and javascript). Make sure to "clean" any qstrings you might process and never use eval. Consider using a framework to simplify this step.
Keep server logs and review them regularly for mischief.
This is just a jumping point. A google search for "web application security" will turn up troves of information. Good luck!
Possible exploits are in the overall server security.
As you use PHP in that simple manner, there's a risk that you do not know it well enough and might overlook some hole: like user input option, or file access rights which would allow a bad guy to upload his php to the server.
PHP offers too much for a simple task of including files. More capabilities == more risk.
I'd use server-side includes for the sake of assembling several files into one web page, and just disable php — faster, more secure.
You should be sure that your software (e.g. webserver, operating system, PHP) is up-to-date, with the latest security patches and updates. You can also hide PHP (read the official guide or [search Google])(http://www.google.com/search?q=hiding+php)
By combining all the advice you get from the answers here, your application will be something more that perfectly safe.
As #Toast said, you had better block incoming traffic and only allow port 80 by using a firewall (Netfilter/iptables on Linux), except if you want to enable additional services, such as FTP.
And in case you want the data travelling between the server and the client to be safe, then HTTPS is the best solution.
If you're not basing the "piecing together" on any kind of user-provided data, and not including any user-provided data into the page, then you're about as vulnerable as a plain static .html file.
That means you're not doing:
include($_GET['pageName']); // hello total server compromise
or
echo "Hello, ", $_GET['username']; // hello cross-site-scripting!
and the like.
I am seeking a simple and best solution to manage user logins (username & password) in a private network (localhost) web page without setting up MySQL or any such database systems? I am running Apache with PHP. It will be helpful if anybody give a PHP demo.
Depends on your webserver. Assuming apache, htpasswd for basic auth could be all you need.
Authentication, Authorization and Access Control gives the information you need to get started.
If you are using localhost, then wouldn't everyone have access to the filesystem?
I think the simplest solution is .htaccess though.
There are other solutions like that, but I can't find nicer links right now:
http://webscripts.softpedia.com/script/Authentication/AuthMan-Free-42216.html
http://www.phpkode.com./scripts/item/passwdauth/
http://www.hotscripts.com/listing/htaccess-manager-lite/
http://www.hotscripts.com/listing/needlock-access-management-system/
http://www.hotscripts.com/listing/dirlock/ (Ooops. Too many hotscripts links. So just saying: not affiliated with that. :] And certainly not endorsing it!)
Anyway. These scripts store usernames and passwords into a .htpasswd file. This can be used independently from the PHP script. .htaccess and .htpasswd is common authentication scheme for Apache webservers. See this tutorial: http://www.javascriptkit.com/howto/htaccess3.shtml or the Apache manual: http://httpd.apache.org/docs/2.0/howto/auth.html
You could use the class itself for authentication, but it doesn't look very current. The login management tool might be useful to you. (But again: there are probably easier ones to find.)
Have a look at www.mykonosphotographs.com/musas/
I'm still in the process of writing a download page, but I can email you the script if you're interested. Use the contact from on the site.
It's a major modification to a single-password system written by someone else, and I've added lots of extra functionality which you can use or not, as you like.
Currently free. It won't be as soon as I've got the downloads page sorted! ;-)
Edit - too late! The downloads page is now sorted.
New URL - http://www.myksoftware.com
nope.
unless you want to save all information to files (like csvs)
but this could be a security threat if anyone got access to the files (which is easier than gaining access to a database)
php doc for reading csv file
You can hide almost anything by various means.
For example, if your webspace provider permits it you can place files outside of your root directory. You can place files in a directory with some weird name like "jdf83usadj300p", with no link to them other than in php, which is parsed by serverside software without the clientside software ever seeing it. You can place passwords in a config file, if you call it something like "config.php" and make the first line:-
; <? php die(); ?>
Only an idiot would use the various javaScript "protection" methods out there like making the password the name of the next file. .htaccess can be cumbersome and can put people off. Far better make it attractive using server-side software.
If passwords are likely to be attacked, ALWAYS encrypt them. NEVER pass passwords from one page to another by GET method unless already encrypted. POST is more secure. md5 encrypting for most purposes is good, with encryption in-built in PHP and many algorithms out there freely available for javaScript. SHA-256 is almost the best there is fo almost any purpose. I don't think the US DoD or the UK MOD would be satisfied with it, but your local sports club's website (or similar) isn't exactly going to be a high-profile target for hackers.
Incidentally, blasteralfred, I sent you an email update. Hope you got it. Good luck!
I asked a recent question regarding the use of readfile() for remotely executing PHP, but maybe I'd be better off setting out the problem to see if I'm thinking the wrong way about things, so here goes:
I have a PHP website that requires users to login, includes lots of forms, database connections and makes use of $_SESSION variables to keep track of various things
I have a potential client who would like to use the functionality of my website, but on their own server, controlled by them. They would probably want to restyle the website using content and CSS files local to their server, but that's a problem for later
I don't want to show them my PHP code, since that's the value of what I'd be providing.
I had thought to do this with calls to include() from the client's server to mine, which at least keeps variable scope intact, but many sites (and the PHP docs) seem to recommend readfile(), file_get_contents() or similar. Ideally I'd like to have a simple wrapper file on the client's server for each "real" one on my server.
Any suggestions as to how I might accomplish what I need?
Thanks,
ColmF
As suggested, comment posted as an answer & modified a touch
PHP is an interpretive language and as such 'reads' the files and parses them. Yes it can store cached byte code in certain cases but it's not like the higher level languages that compile and work in bytecode. Which means that the php 'compiler' requires your actual source code to work. Check out zend.com/en/products/guard which might do what you want though I believe it means your client has to use the Zend Server.
Failing that sign a contract with the company that includes clauses of not reusing your code / etc etc. That's your best protection in this case. You should also be careful though, if you're using anything under an 'open source' license your entire app may be considered open source and thus this is all moot.
This is not a non-standard practice for many companies. I have produced software I'm particularly proud of and a company wants to use it. As they believe in their own information security for either 'personal' reasons or because they have to comply to a standard such as PCI there are times my application must run in their environments. I have offered my products as 'web services' where they query my servers with data and recieve responses. In that case my source is completely protected as this is no different than any other closed API. In every case I have licensed the copy to the client with provisions that they are not allowed to modify nor distribute it. This is a legal binding contract and completely expected from the clients side of things. Of course there were provisions that I would provide support etc etc but that's neither here nor there.
Short answers:
Legal agreement, likely your best bet from everyone's point of view
Zend guard like product, never used it so I can't vouch for it
Private API but this won't really work for you as the client needs to host it
Good luck!
If they want it wholly contained on their server then your best bet is a legal solution not a technical one.
You license the software to them and you make sure the contract states the intellectual property belongs to you and it cannot be copied/distributed etc without prior permission (obviously you'll need some better legalese than that, but you get the idea).
Rather than remote execution, I suggest you use a PHP source protection system, such as Zend Guard, ionCube or sourceguardian.
http://www.zend.com/en/products/guard/
http://www.ioncube.com/
http://www.sourceguardian.com/
Basically, you're looking for a way to proxy your application out to a remote server (i.e.: your clients). To use something like readfile() on the client's site is fine, but you're still going to need multiple scripts on their end. Basically, readfile scrapes what's available at a particular file path or URL and pipes it to the end user. So if I were to do readfile('google.com'), it would output the source code for Google's homepage.
Assuming you don't just want to have a dummy form on your clients' sites, you're going to need to have some code hanging out on their end. The code is going to have to intercept the form submissions (so you'll need a URL parameter on the page you're scraping with readfile to tell your code that the form submission URL is your client's site and not your own). This page (the form submission handler page) will need to make calls back to your own site. Think something like this:
readfile("https://your.site/whatever?{$_SERVER['QUERY_STRING']}");
Your site is then going to process the response and then pass everything back to your clients' sites.
Hopefully I've gotten you on the right path. Let me know if I was unclear; I realize this is a lot of info.
I think you're going to have a hard time with this unless you want some kind of funny wrapper that does curl type requests to your server. Especially when it comes to handling things like sessions and cookies.
Are you sure a PHP obfuscator wouldn't be sufficient for what you are doing?
Instead of hosting it yourself, why not do what most php applications do and simply distribute the program to your client with an auto-update feature? Hosting it yourself is complicated, from management of websites to who is paying for the hosting.
If you don't want it to be distributed, then find a pre-written license that allows you to do this. If you can't find one then it's time to talk to a lawyer.
You can't stop them from seeing your code. You can make it very hard for them to understand your code, which is a good second best. See our SD PHP Obfuscator for a tool that will scramble the identifiers and the whitespacing in the code, making it much more difficult to understand.