Results 1 to 3 of 3

Thread: Security Checks.

  1. #1
    Registered Generalissimo's Avatar
    Join Date
    Mar 2005
    Location
    Huddersfield, UK
    Posts
    409

    Security Checks.

    I just asked a friend to proform a quick security check on my sites. Within 15 minutes he had passwords to most of my sites.

    What had I done so wrong? Firstly I had 4Images script running which is full of exploits, one of which reveals all the user account names on the server.

    He then used a dodgy upload form on one of my sites to upload a hacker tool called c99. Because the upload form (now deleted) allowed php uploads somehow he was able to access that php file and use the usernames gained from the 4images script to gain access to any user account on my server.

    He could then just open php files using c99 and get passwords. The only secure sites were ones coded by decent programmers who had done techniques such as echoing html instead of php files to produce sites.


    This made me think a lot about security, I thought my sites were relativly secure, but in 15 minutes the vast majority of them were compromised.

    He suggested:

    • Having different passwords for databases and user accounts
    • Having different passwords for every site
    • Checking all scripts before upload in future for potential to upload php
    • Not using third party scripts such as 4 images unless known to be secure (VBulletin is considered secure)

  2. #2
    Administrator Chris's Avatar
    Join Date
    Feb 2003
    Location
    East Lansing, MI USA
    Posts
    7,049
    Any site that allows user uploaded files needs extra layers of security.
    Chris Beasley - My Guide to Building a Successful Website[size=1]
    Content Sites: ABCDFGHIJKLMNOP|Forums: ABCD EF|Ecommerce: Swords Knives

  3. #3
    Registered Xander's Avatar
    Join Date
    Oct 2004
    Location
    UK
    Posts
    263
    Its a good thing you had a friend who could do that and that you had it done. As I've progressed in PHP and MySQL, security in my code and websites in general have become a real interest. Anywhere a person can enter something that is stored or even displayed (without being stored) can be dangerous. Just look at cross site scripting (XSS) those can be little annoyances to website compromising problems. I've learnt a lot from rsnake's (http://ha.ckers.org) blogs and forum.

Similar Threads

  1. when does adsense send checks?
    By thebillionaire in forum Advertising & Affiliate Programs
    Replies: 6
    Last Post: 10-18-2005, 03:24 AM
  2. Free Server Security Audit by Touch Support
    By TSGradyR in forum The Marketplace
    Replies: 0
    Last Post: 03-30-2005, 11:00 PM
  3. Free Security Audit
    By TSGradyR in forum The Marketplace
    Replies: 0
    Last Post: 03-15-2005, 06:49 PM
  4. A few general questions about security ...
    By hixe in forum Web Hosting & Servers
    Replies: 3
    Last Post: 07-12-2004, 12:58 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •