Website Security

[mrkfc]

I run a dynamic PHP/MySQL membership website, and a competitor site has been constantly hacking us. I have a few backups, so thank fully I can restore the site to its normal state. But after I restore it they can still hack it very easily. I have checked through all my code and I cannot find any vulnerabilities. I suspected that they were using XSS, so I installed a script called html purifier. Still they were able to hack into the system. After they had hacked the system they were using the private message facility to send lots of abusive messages out using my username.

Here is some of the session coding:

PHP Code:

<?php
session_start(); // Must start session first thing
// See if they are a logged in member by checking Session data
$toplinks = "";
if (isset($_SESSION['id'])) {
    // Put stored session variables into local php variable
    $userid = $_SESSION['id'];
    $username = $_SESSION['username'];
    $toplinks = '<a href="member_profile.php?id=' . $userid . '">' . $username . '</a>  <BR/>
    <a href="member_account.php">Account</a><BR/>
    <a href="logout.php">Log Out</a>';
    $image = $_SESSION['username'];
    
}
else {
    
echo"login please!";
/* Make sure that code below does not get executed when we redirect. */
exit;
    
}
?>
<?php
//Connect to the database through our include 
include_once "connect_to_mysql.php";
// Query member data from the database and ready it for display
$sql = mysql_query("SELECT * FROM members WHERE id='$userid'"); 
while($row = mysql_fetch_array($sql)){
$country = $row["country"];
$state = $row["state"];
$city = $row["city"];
$team = $row["team"];
$avatarid = $row["avatarid"];    
$accounttype = $row["accounttype"];    
$bio = $row["bio"];    
$level = $row["level"];
$wages = $row["wages"];
}
?>

I think they might be some how modifying the user sessions to impersonate our website staff. Some how they had managed to post over 300 messages onto the forums in under a minute, and I could not trace the ip address of the poster.

Any guidance/help would be really appreciated

Thank you.

[myfayt]

Are you using any security codes such as mysql_real_escape_string, addslashes, strip_slashes, magic quotes, is_numeric, etc?

If you're putting raw data into your database, it can be hacked very easily.

[tangoforce]

There is no way to gain access to the session data unless they can physically hack into the server itself. Even then they would need to upload and run their own custom php code to scan through all the session files and integrate with your system.

I suspect your login system or one of your forms has some weakpoints. You've shown us the completely wrong thing.

Show the code for your login, registration and any contact forms you have.

[perpl3x3d]

I am no security expert, but I have a few pointers.

You are using unencrypted session variables. Yes, the session file is located on the server, not client side like a cookie, BUT those values can still be manipulated. I suggest using a token system and some type of encryption to prevent session hijacking (thats what is sounds like to me.)

I noticed this line specifically:
$sql = mysql_query("SELECT * FROM members WHERE id='$userid'");


while($row = mysql_fetch_array($sql)){
$country = $row["country"];
$state = $row["state"];
$city = $row["city"];
$team = $row["team"];
$avatarid = $row["avatarid"];
$accounttype = $row["accounttype"];
$bio = $row["bio"];
$level = $row["level"];
$wages = $row["wages"];

Are you storing passwords on the table members? Because if so, I'd remove the * from your query, and specifically list which values you need to retrieve.

I hope you are able to lock down your site, good luck!

[myfayt]

Also another thing to mention, if your register/login isn't encrypted, like passwords, that is a huge security flaw.

Using MD5, SHA1, and Random SALT would make it quite secure.

[BluePanther]

Start off simple. Session hijacking is the least likely, as it's the hardest to do. It involves sniffing your traffic etc. etc. and is just unlikely.

The most common is SQL Injection, so I would check that you're validating user input that is being entered into queries, using mysql_real_escape_string().

Also, your file that you're including connect_to_mysql.php. It's possible they might know where that file is, and could easily include that into a script of their own from a different URL dependant on a couple of php configuration settings, so it might be worth moving this above the web root (the folder above public_html or www). That way, they physically can't get access to it, without having a script on your server.

Which leaves XSS. Ensure there's no unvalidated user uploads, or inputs, that point to a file location. Ensure you use something like $_SERVER['DOCUMENT_ROOT'] prefixed to file locations that are user provided. Also validate file uploads, by ensuring file types and disallowing certain types and sizes.

Your actual 'check if logged in' portion isn't great. It's easy to find out a user id, and if someone was able to set their id as a user id, they'd be logged in as that user. I'm not actually sure how easy, or hard, it would be to set a $_SESSION variable like that however. I would suggest rethinking that part, by validating the user's 'last logged in ip' in the table with the current IP, and validate on some sort of token set at login, also stored on login.

Also, like perplexed says, don't retrieve your password through the mysql. It could be sniffed out that way. Limit the fields in the query to the fields you require.

And of course, make sure you're using sha1() for your passwords, to hash them so that no-one can see them in plain text.

[mrkfc]

Sorry for the late reply. Thanks a lot for all your advice I am currently trying my best to code new security and make the site difficult to hack.