SYSTEM SECURITY EMERGENCY!!
Moderator: General Moderators
SYSTEM SECURITY EMERGENCY!!
Hello my php'ers I have a problem with the security of a system I am trying to develop, and it is the following: I have no idea of how to authenticate who is sending the POST vars to my script, and I am worried someone could "Save As" the introduction form and introduce unwanted info in my system. does anyone have ideas about how to authenticate the sending form or URL? I need this urgently so I will be gratefull to anyone that answers my question...
in other words how can I know if it was my own submition form or a hacking copy of my form who sent the $HTTP_POST_VARS['foo'] to my script????
I am worried someone is introducing data from an unwanted location or machine violating my security capabilities.
some ideas of how to secure my script?
in other words how can I know if it was my own submition form or a hacking copy of my form who sent the $HTTP_POST_VARS['foo'] to my script????
I am worried someone is introducing data from an unwanted location or machine violating my security capabilities.
some ideas of how to secure my script?
Okay i searched, but i couldnt find it. I have a suggestion but no code.
What you could do is use the command which checks what url you came from, im thinking its something with 'refer' in it.. Then make an if statement that says:
if([refer command] == "The url of the post area") {
came from ur page, not the evil peoples page!
} else {
It didnt come from that page, so its not going to work!
}
Sorry for not specifying enough, i know i saw it around here, maybe a guru will give you the command
What you could do is use the command which checks what url you came from, im thinking its something with 'refer' in it.. Then make an if statement that says:
if([refer command] == "The url of the post area") {
came from ur page, not the evil peoples page!
} else {
It didnt come from that page, so its not going to work!
}
Sorry for not specifying enough, i know i saw it around here, maybe a guru will give you the command
Code: Select all
$_SERVER["HTTP_REFERER"]Re: SYSTEM SECURITY EMERGENCY!!
Just send a digital signature with your form. If the form doesn't come back with the signature, somethings wrong.jami045 wrote:Hello my php'ers I have a problem with the security of a system I am trying to develop, and it is the following: I have no idea of how to authenticate who is sending the POST vars to my script, and I am worried someone could "Save As" the introduction form and introduce unwanted info in my system. does anyone have ideas about how to authenticate the sending form or URL? I need this urgently so I will be gratefull to anyone that answers my question...
in other words how can I know if it was my own submition form or a hacking copy of my form who sent the $HTTP_POST_VARS['foo'] to my script????
I am worried someone is introducing data from an unwanted location or machine violating my security capabilities.
some ideas of how to secure my script?
Cheers,
BDKR
You may also want to do some reading here: http://www.php.net/manual/en/security.php
Well, I'm using the term rather loosely. The basic idea is that you send with a form a signature.Drachlen wrote:"Just send a digital signature with your form. If the form doesn't come back with the signature, somethings wrong. "
Even though this isnt my problem, im curious as to what you mean, what would be a digital signature and how would it be coded?
But what is a signature? It could be any number of things. Some people will dynamically create images with a keyword or something in it. That person is then required to type that key word into a field and send it back. There are holes in this approach as there are in many others.
Here is what I do...
1) Hash client side using Javascript md5 or sha1.
2) Maintain a session var for forms and store IP/OS/Platform data.
3) Send a key with that form (making it unique).
By hashing client side, the users password is never sent in the clear. It's hash is however. So, to deal with that fact, the key that is sent with the form in the first place is a hash of the users IP/OS/Platform plus an additional hash var used on the server.
Is the above bullet proof? No. But nothing is. To me, you just throw enough impediments at a person to make it not worth trying.
Cheers,
BDKR
Another option, without relying on client-side code:
1. Use $_SERVER["HTTP_REFERER"]
2. Preform full validation on returned variables:
A. Only validate variales you expect to receive, don't use register_globals, or any "tricks" that simulate it
B. This includes validating any hidden variables, validating hidden variables will often require using a MAC (message authentication code), the value of the variable should be set as "value+MD5(value+server secret)". By exploding the variable on return you'll be able to compare it to what you thought it should be.
C. Make sure that any selectbox/radio button/checkbox returns a legal value, don't assume they are valid by default. Being very paranoid, MAC each option here as well.
D. Basically, the only "safe" inputs are text/textarea/password. They are "unrestricted user input" so you can't check for too much, other than using regexp's. All others need to have the options individually signed.
That should do it.... Doesn't depend on client side code, uses REFERER as a simple check, but true hackers can avoid it. However the more paranoid validation will trap them as well. To crack the site they will have learn a server secret, on the same order as your database password.
1. Use $_SERVER["HTTP_REFERER"]
2. Preform full validation on returned variables:
A. Only validate variales you expect to receive, don't use register_globals, or any "tricks" that simulate it
B. This includes validating any hidden variables, validating hidden variables will often require using a MAC (message authentication code), the value of the variable should be set as "value+MD5(value+server secret)". By exploding the variable on return you'll be able to compare it to what you thought it should be.
C. Make sure that any selectbox/radio button/checkbox returns a legal value, don't assume they are valid by default. Being very paranoid, MAC each option here as well.
D. Basically, the only "safe" inputs are text/textarea/password. They are "unrestricted user input" so you can't check for too much, other than using regexp's. All others need to have the options individually signed.
That should do it.... Doesn't depend on client side code, uses REFERER as a simple check, but true hackers can avoid it. However the more paranoid validation will trap them as well. To crack the site they will have learn a server secret, on the same order as your database password.
THANK YOU ALL!!, I made this code out and it works, I verify if the request method is POST, and if my host is in the HTTP_REFERER... I hope this helps people that had the same question as I did.
Code: Select all
<?php
if ($_SERVER['REQUEST_METHOD']=="POST"){
if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 || !strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])){
die(""); //or maybe EXIT;
}
}
?>