1. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,642
    Rep Power
    4476
    Originally Posted by MaierMan
    Sure, learning from mistakes.

    But the 2nd attack (posting random threads) is also possible by simply letting users click on a link.
    And links might be done even when disallowing raw html.
    The cookie and session of that user is valid, thus vB will accept the unwanted request to post the thread.
    I'm not able to replicate this. I think vb now uses a "posthash" that' generated when you request to create a new thread. That hash has to match when you submit the data. So using a URL passing GET parameters isn't going to work unless you can match that "posthash".

    ---John Holmes...
    -- Cigars, whiskey and wild, wild women. --
  2. No Profile Picture
    <? unset($sanity) ?>
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2003
    Posts
    613
    Rep Power
    11
    Originally Posted by Sepodati
    I'm not able to replicate this. I think vb now uses a "posthash" that' generated when you request to create a new thread. That hash has to match when you submit the data. So using a URL passing GET parameters isn't going to work unless you can match that "posthash".

    ---John Holmes...
    I wrote a chatroom security script, and I was going to use something simular, but never did. I'm sure it would be very effective.
    "I haven't failed, I've found 10,000 ways that won't work."
    - Thomas Edison

    -=Rick=-

    Chat Refinance Loans
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    England
    Posts
    60
    Rep Power
    11
    A way to get round people using remote scripts in your pages, an alternate way of the $page including system that is on the first page.

    First you need to do this - this checks to see if a page is already set so it can load it, if not load a default one (home)

    PHP Code:
    // Starting up page system
    if (!isset($_GET['page']) || empty($_GET['page']))
    {
        
    $page 'home';
    }
    else
    {
        
    $page $_GET['module'];

    Then wherever you want the page to be included to this;

    PHP Code:
    include('folder/'.$page.'.php'); 
    Therefore the file has to be on your server and it saves you adding .php all the time in links
  4. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2004
    Location
    US
    Posts
    90
    Rep Power
    11

    Question


    Just curious about linuxaator's use of $id=(int)$id; to prevent hacking.

    I have not used this in PHP thus far. What does "(int)" before a variable do? And would this really help with security?

    Thanks!
  5. Contributing User
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jun 2004
    Posts
    1,124
    Rep Power
    158
    Originally Posted by nuLime
    Just curious about linuxaator's use of $id=(int)$id; to prevent hacking.

    I have not used this in PHP thus far. What does "(int)" before a variable do? And would this really help with security?
    It doesn't prevent hacking, it only ensures that $id is now an integer and nothing else.

    (int)5 => 5
    (int)5.5 => 5
    (int)5abc => 5
    (int)abc => 0

    So, if you're expecting an integer value from a form input, then casting it to an integer using (int) will ensure that's what you have. You still need to validate it's range, though, depending upon your application.

    Dopes
    I am nothing now
    and I'll be nothing when
    this nothing world
    has it's nothing end.
    -- Violent Femmes
  6. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Posts
    3
    Rep Power
    0
    Just when you are passing form data directly to a shell command, if you'd like more you can see it here:

    http://uk.php.net/escapeshellcmd
  7. finding balance
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Posts
    444
    Rep Power
    53

    A Hacker is a Hacker is a Hacker


    Originally Posted by pezzer
    ...especially wanna-be hackers!...
    I just wanted to make a statement on this that I read (page 2). I have read lots of information in this site that would give me enough knowledge to hack an insecure site fairly easily. So could anyone else. The point is if someone is attempting to break in to my site using any technique, they're a hacker. Period. If they're first time newbies or they're ten year veterans, if they're five years old or fifty, they're a hacker. It doesn't matter if they have a vendetta or they're just killing time. I'm not flaming, as I think everyone that has contributed to this string has given (and is giving, and will give, most likely) valuable information. I'm just making the point that if they make the attempt and it works, then someone will say, "I don't see how you can discredit them. After all, they hacked me..."

    Cheers to all making a contribution to this string for giving me security knowledge. I'm compelled to compile it and write articles, do research, maybe even ask for your contributions. Thanks again.
  8. No Profile Picture
    =) wannabe?
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Jul 2002
    Location
    florida
    Posts
    2,153
    Rep Power
    14
    no, they're crackers. i want to hack and think it's a great hobby if not occupation.
  9. finding balance
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Posts
    444
    Rep Power
    53
    I had a cracker once... I had soup, too, though...
  10. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2003
    Location
    Belfast sumwhere, although it could be Lisburn not too sure
    Posts
    178
    Rep Power
    11
    yes i agree with wannabe? hacker is term that all good computer programmers like to be associated with. I mean, there is nothing like coming across a quite complex problem with one of your applications/scripts and finding a nice "jim il fix it hack" to save the day, then revelling in your greatness as a hacker. Malicious hacking i feel should be referred to as cracking. Maybe this is one for the DS lounge.
    Linux Apache Mysql PHP -
    http://fedora.redhat.com/
  11. /(bb|[^b]{2})/

    Join Date
    Nov 2001
    Location
    Somewhere in the great unknown
    Posts
    5,163
    Rep Power
    792
    This is a topic that has been discussed since the term was created. You can check the links in my signature for more information but I agree, this does not belong here. This is for security concerns when it comes to PHP.
    Please, if you don't have anything relevant to this thread, DON'T POST IT HERE!
  12. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2004
    Posts
    1
    Rep Power
    0
    Why not set a cookie containing something unique for this session. (I use a md5 hash of username, ip-adress, timestamp, and a random...)
    Enter that hash into a loggin table, that also contains a user id.
    Now this table can be used to easily look up who that user is, and thus what rights he should have.
  13. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190

    Using "include()" based on user input


    This advice has been given: Append a string to a user-given string to restrict access to certain file types via
    PHP Code:
    include $_GET['filename'].".jpg" 
    Never do this. There is no security at all!

    You can circumvent this measure by adding a NULL byte in your query string:
    index.php?filename=/etc/passwd%00

    Tested today and works in FreeBSD 5.3 and Debian Sarge, both fully patched.

    Do not, I repeat: do not include() anything with a variable name in it.
    The right "quick" way is the key->filename array that a.koepke mentioned above or JeffCT's solution in the very first post.

    M.

    PS: Moderators please add a security warning to the posts: #522011, #76731, #76238, #76956
  14. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Bielefeld, Germany
    Posts
    35
    Rep Power
    11
    At the moment I use includes on two sites that are stored in .inc.php files, and all of these start with lines similar to these:
    PHP Code:
    <?php
        
        
    if (eregi("admin_functions.inc.php",$PHP_SELF))
        {
            die(
    "Direct access to this page is not allowed.");
        }
        
        function 
    isAuthorized()
    ...
    and in this special case the filename of the included file would be "admin_functions.inc.php". So calling this file directly with whatever variables attached to the URL will result in the script dying.

    Any thoughts on this?
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2003
    Location
    miami
    Posts
    151
    Rep Power
    12
    one thing - many coders will assume POST to be pretty secure... in fact, they'll use dropdown boxes and not validate the info afterwards. BIG MISTAKE.

    i know a guy who wanted to register for a class and could not because it wouldnt show up bc it was full. it would never show in the dropdown box... so it would be easy for someone to save the form to html on his comp, changed the dropdown to text (or coulda just added my class to the list as another option) and then clicked submit. VOILA!

    the class was now registered for this guy even tho it was full already all because the coder thought dropdowns were already validated

    now replace the university class here with something like an item number or something - and someone now just ordered an item that you are out of stock/no longer carry/doesnt exist etc, and has paid for it, and now it is in your system as garbage data.

IMN logo majestic logo threadwatch logo seochat tools logo