Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New Coder
    Join Date
    Aug 2010
    Posts
    35
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Angry Website Security

    I run a dynamic PHP/MySQL membership website, and a competitor site has been constantly hacking us. I have a few backups, so thank fully I can restore the site to its normal state. But after I restore it they can still hack it very easily. I have checked through all my code and I cannot find any vulnerabilities. I suspected that they were using XSS, so I installed a script called html purifier. Still they were able to hack into the system. After they had hacked the system they were using the private message facility to send lots of abusive messages out using my username.

    Here is some of the session coding:
    PHP Code:
    <?php
    session_start
    (); // Must start session first thing
    // See if they are a logged in member by checking Session data
    $toplinks "";
    if (isset(
    $_SESSION['id'])) {
        
    // Put stored session variables into local php variable
        
    $userid $_SESSION['id'];
        
    $username $_SESSION['username'];
        
    $toplinks '<a href="member_profile.php?id=' $userid '">' $username '</a>  <BR/>
        <a href="member_account.php">Account</a><BR/>
        <a href="logout.php">Log Out</a>'
    ;
        
    $image $_SESSION['username'];
        
    }
    else {
        
    echo
    "login please!";
    /* Make sure that code below does not get executed when we redirect. */
    exit;
        
    }
    ?>
    <?php
    //Connect to the database through our include 
    include_once "connect_to_mysql.php";
    // Query member data from the database and ready it for display
    $sql mysql_query("SELECT * FROM members WHERE id='$userid'"); 
    while(
    $row mysql_fetch_array($sql)){
    $country $row["country"];
    $state $row["state"];
    $city $row["city"];
    $team $row["team"];
    $avatarid $row["avatarid"];    
    $accounttype $row["accounttype"];    
    $bio $row["bio"];    
    $level $row["level"];
    $wages $row["wages"];
    }
    ?>
    I think they might be some how modifying the user sessions to impersonate our website staff. Some how they had managed to post over 300 messages onto the forums in under a minute, and I could not trace the ip address of the poster.

    Any guidance/help would be really appreciated

    Thank you.

  • #2
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,417
    Thanks
    68
    Thanked 102 Times in 101 Posts
    Are you using any security codes such as mysql_real_escape_string, addslashes, strip_slashes, magic quotes, is_numeric, etc?

    If you're putting raw data into your database, it can be hacked very easily.

  • #3
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,311
    Thanks
    58
    Thanked 525 Times in 512 Posts
    Blog Entries
    5
    There is no way to gain access to the session data unless they can physically hack into the server itself. Even then they would need to upload and run their own custom php code to scan through all the session files and integrate with your system.

    I suspect your login system or one of your forms has some weakpoints. You've shown us the completely wrong thing.

    Show the code for your login, registration and any contact forms you have.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #4
    New to the CF scene
    Join Date
    Sep 2011
    Posts
    5
    Thanks
    0
    Thanked 1 Time in 1 Post
    I am no security expert, but I have a few pointers.

    You are using unencrypted session variables. Yes, the session file is located on the server, not client side like a cookie, BUT those values can still be manipulated. I suggest using a token system and some type of encryption to prevent session hijacking (thats what is sounds like to me.)

    I noticed this line specifically:
    $sql = mysql_query("SELECT * FROM members WHERE id='$userid'");


    while($row = mysql_fetch_array($sql)){
    $country = $row["country"];
    $state = $row["state"];
    $city = $row["city"];
    $team = $row["team"];
    $avatarid = $row["avatarid"];
    $accounttype = $row["accounttype"];
    $bio = $row["bio"];
    $level = $row["level"];
    $wages = $row["wages"];

    Are you storing passwords on the table members? Because if so, I'd remove the * from your query, and specifically list which values you need to retrieve.

    I hope you are able to lock down your site, good luck!

  • #5
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,417
    Thanks
    68
    Thanked 102 Times in 101 Posts
    Also another thing to mention, if your register/login isn't encrypted, like passwords, that is a huge security flaw.

    Using MD5, SHA1, and Random SALT would make it quite secure.

  • #6
    Senior Coder
    Join Date
    Jul 2011
    Posts
    1,226
    Thanks
    3
    Thanked 171 Times in 171 Posts
    Start off simple. Session hijacking is the least likely, as it's the hardest to do. It involves sniffing your traffic etc. etc. and is just unlikely.

    The most common is SQL Injection, so I would check that you're validating user input that is being entered into queries, using mysql_real_escape_string().

    Also, your file that you're including connect_to_mysql.php. It's possible they might know where that file is, and could easily include that into a script of their own from a different URL dependant on a couple of php configuration settings, so it might be worth moving this above the web root (the folder above public_html or www). That way, they physically can't get access to it, without having a script on your server.

    Which leaves XSS. Ensure there's no unvalidated user uploads, or inputs, that point to a file location. Ensure you use something like $_SERVER['DOCUMENT_ROOT'] prefixed to file locations that are user provided. Also validate file uploads, by ensuring file types and disallowing certain types and sizes.

    Your actual 'check if logged in' portion isn't great. It's easy to find out a user id, and if someone was able to set their id as a user id, they'd be logged in as that user. I'm not actually sure how easy, or hard, it would be to set a $_SESSION variable like that however. I would suggest rethinking that part, by validating the user's 'last logged in ip' in the table with the current IP, and validate on some sort of token set at login, also stored on login.

    Also, like perplexed says, don't retrieve your password through the mysql. It could be sniffed out that way. Limit the fields in the query to the fields you require.

    And of course, make sure you're using sha1() for your passwords, to hash them so that no-one can see them in plain text.

  • #7
    New Coder
    Join Date
    Aug 2010
    Posts
    35
    Thanks
    6
    Thanked 0 Times in 0 Posts
    Sorry for the late reply. Thanks a lot for all your advice I am currently trying my best to code new security and make the site difficult to hack.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •