#1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,687
    Rep Power
    171

    Please attack this page, rate the security.


    Hello Devshed;

    I was wondering if you can help me find security holes in this page I'm making.

    I want to make it secure, of course I am not talking bank secure, but reasonably secure!

    It checks the database to make sure the email address you are inserting is not already there. So here's a chance to break the database. Also xss attacks are welcome too.

    Please write your feed back so I can work on it more and make it secure enough.

    Thank you.
  2. #2
  3. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4124
    So, I can create a member with garbage inputs, no validation or confirmation required

    This could be automated to generate 1000's of users

    Once logged in I could delete a photo. Your delete action was based on links, so your site fails of XSRF straight away (even when the action is based on post, some anti-XSRF token is required to prevent this, b ut when its on links the attack is soooo much easier)

    I couldn't upload an image
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    it would make more sense to let somebody review the code. A professional penetration test isn't trivial and requires a lot of effort, so I doubt that anybody here can and will do it for free.

    Anyway, after playing around, I've found two strange reactions:

    When I input "<script>alert(0)</script>" into any text field, I'm redirected to a "403 forbidden" page with strange text:

    Code:
    Error 403: Forbidden
    Your PHP settings have been disabled by an H-Sphere administrator.
    
    Your current PHP configuration:
    -->
    This configuration was changed:
    Please bring your PHP configuration in compliance with admin settings or request your administrator to re-enable support of your settings.
    
    You don't have permissions to access this page. This usually means one of the following:
    
    this file and directory permissions make them unavailable from the Internet.
    .htaccess contains instructions that prevent public access to this file or directory.
    Please check file and directory permissions and .htaccess configuration if you are able to do this. Otherwise, request your webmaster to grant you access.
    Other JavaScript stuff will be removed. I guess this is some security feature, but I don't see why it should redirect to an error page.

    When I try to upload an invalid file type, I get a PHP error on the upper left corner:

    Code:
    A PHP Error was encountered
    
    Severity: Warning
    
    Message: finfo_open(): Failed to load magic database at ''.
    
    Filename: libraries/Upload.php
    
    Line Number: 1035
    Last edited by Jacques1; November 7th, 2012 at 05:27 AM.
  6. #4
  7. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,687
    Rep Power
    171
    Originally Posted by Northie
    So, I can create a member with garbage inputs, no validation or confirmation required
    I am adding email confirmation feature now, it is a good idea. And probably a cron job to remove uncomfirmed emails after 3 days.
    Originally Posted by Northie
    Once logged in I could delete a photo. Your delete action was based on links, so your site fails of XSRF straight away (even when the action is based on post, some anti-XSRF token is required to prevent this, but when its on links the attack is soooo much easier)
    I left that open cause I am running some tests on codeiginters upload features. Ive got some issues with php settings on my server, just gonna write them for Jacques1 as he found 2 issues.
    Originally Posted by Northie
    I couldn't upload an image
    That is strange! What kind of image? jpeg? Did you get an error message?
    Thanks
  8. #5
  9. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,687
    Rep Power
    171
    Originally Posted by Jacques1
    Hi,

    it would make more sense to let somebody review the code. A professional penetration test isn't trivial and requires a lot of effort, so I doubt that anybody here can and will do it for free.
    Of course. Just for the record : )
    PHP Code:
    <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

    class 
    Gallery extends CI_Controller
        
    {
        
        protected 
    $current_photos=0;
        public function 
    index()
            {
                
    $data['title'] = "Gallary Page";
                
    $data['upload_data']="";
                
    $data['photos']='';
                
    $data['photos_message'] = "No message";
                
    $this->load->vars($data);
                if(
    $this->input->post('submit'))
                    {
                        if(
    $this->load_photos())
                            {    
                                
    $this->do_upload();
                            }
                    }
                else
                    {
                        
    $this->load_photos();
                    }
                
                
    $this->view_things();
            }
        
        function 
    do_upload()
            {
                
    $config['upload_path'] = 'uploads/';
                
    $this->load->model('add_photo_model');
                
    $data['new_photo'] = $this->add_photo_model->new_photo_name();
                
    $config['file_name']  = $data['new_photo'];
                
    //$config['overwrite']  = TRUE;
                
    $config['allowed_types'] = 'gif|jpg|png';
                
    $config['max_size']    = '1500';
                
    $config['max_width']  = '1024';
                
    $config['max_height']  = '1000';
                
                
    $this->load->library('upload'$config);
            
                if (!
    $this->upload->do_upload())
                    {
                        
    $data['upload_data'] = $this->upload->display_errors();
                        
    $this->load->vars($data);
                    }
                else
                    {
                        
    $photo['details']= array('upload_data' => $this->upload->data());
                        
    $this->add_photo_model->add($data['new_photo']);
                        
                        
    $data['upload_data'] = "The photo has been uploaded successfully";
                        
    $this->load->vars($data);
                        
    $this->resize($data['new_photo']);
                    }
            }
        
        public function 
    resize($photo)
            {
                
    $config['image_library'] = 'gd2';
                
    $config['source_image'] = 'uploads/'.$photo;
                
    $config['new_image'] = 'uploads/thumb_'.$photo;
                
    $config['maintain_ratio'] = TRUE;
                
    $config['width'] = 220;
                
    $config['height'] = 220;
                
    $this->image_lib->initialize($config);
                
    $this->load->library('image_lib'$config);
                
                if (!
    $this->image_lib->resize())
                    {
                        
    $data['resize_errors'] = $this->image_lib->display_errors();
                    }
                else
                    {
                        
    $this->do_watermark($photo);
                        
    //redirect(site_url()."gallery");
                    
    }
            }
            
        public function 
    do_watermark($photo)
            {
                
    $config['source_image'] = 'uploads/thumb_'.$photo;
                
    $config['new_image'] = 'uploads/thumb_water_'.$photo;
                
    $config['wm_text'] = 'Behnam';
                
    $config['wm_type'] = 'text';
                
    $config['wm_font_path'] = './system/fonts/texb.ttf';
                
    $config['wm_font_size'] = '14';
                
    $config['wm_font_color'] = 'ffffff';
                
    $config['wm_vrt_alignment'] = 'bottom';
                
    $config['wm_hor_alignment'] = 'center';
                
    $config['wm_padding'] = '5';
                
    $this->image_lib->initialize($config);
                
    $this->image_lib->watermark();
                
    redirect(site_url()."gallery");
            }
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
        public function 
    load_photos()
            {
                
    $this->load->model('load_photos_model');
                
    $photos $this->load_photos_model->check();
                if(
    $photos)
                    {
                        
    $this->current_photos=$photos['number_of_rows'];
                        foreach(
    $photos['results'] as $val)
                            {
                                
                                    
    $data['photos'][]=$val->photo.",".$val->id;
                            }
                        
    $data['photos_message'] = "There are ".$this->current_photos." photos uploaded so far<br />";
                        
    $this->load->vars($data);
                        if(
    $this->current_photos<150)
                            {
                                return 
    true;
                            }
                        else
                            {
                                
    $data['photos_message'] = "Limit! There are already ".$photos['number_of_rows']." uploaded!";
                                
    $this->load->vars($data);
                            }
                    }
                else
                    {
                        
    $data['photos_message'] = "There are no photos uploaded yet!";
                        
    $this->load->vars($data);
                        return 
    true;
                    }
            }
        
            
        public function 
    delete($photo)
            {
                
    $this->load->model('load_photos_model');
                
    $delete $this->load_photos_model->delete($photo);
                if(
    $delete)
                    {
                        
    unlink('uploads/'.$photo.'.jpg');
                        
    redirect(site_url()."gallery");
                    }
                else
                    {
                        
    redirect(site_url()."gallery");
                    }
            }    
         public function 
    view_things()
            {
                
    $this->load->view('header_view');
                
    $this->load->view('gallery_view');
                
    $this->load->view('footer_view');
            }
    }
    Originally Posted by Jacques1
    Anyway, after playing around, I've found two strange reactions:

    When I input "<script>alert(0)</script>" into any text field, I'm redirected to a "403 forbidden" page with strange text:

    Code:
    Error 403: Forbidden
    Your PHP settings have been disabled by an H-Sphere administrator.
    
    Your current PHP configuration:
    -->
    This configuration was changed:
    Please bring your PHP configuration in compliance with admin settings or request your administrator to re-enable support of your settings.
    
    You don't have permissions to access this page. This usually means one of the following:
    
    this file and directory permissions make them unavailable from the Internet.
    .htaccess contains instructions that prevent public access to this file or directory.
    Please check file and directory permissions and .htaccess configuration if you are able to do this. Otherwise, request your webmaster to grant you access.
    Other JavaScript stuff will be removed. I guess this is some security feature, but I don't see why it should redirect to an error page.
    This is due to my server setting, as I am sharing the hosting they dont allow my htaccess changed! I am currently working on this. Thanks for picking this up. FOr me it worked fine locally so I was sure it is ok online too!
    Originally Posted by Jacques1
    When I try to upload an invalid file type, I get a PHP error on the upper left corner:

    Code:
    A PHP Error was encountered
    
    Severity: Warning
    
    Message: finfo_open(): Failed to load magic database at ''.
    
    Filename: libraries/Upload.php
    
    Line Number: 1035
    Again, php version is 5.2 which is dated and not compatible with Codeigniters latest version. FOr now I changed the upload class and asked the server to upgrade my php.

IMN logo majestic logo threadwatch logo seochat tools logo