how about that hacker? ;)

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
lc
Forum Contributor
Posts: 188
Joined: Tue Apr 23, 2002 6:45 pm
Location: Netherlands

how about that hacker? ;)

Post by lc »

Well some of you may remember I posted something a while back about someone hacking a flatfile bb script I wrote.

Since then... he/she/it also hacked my gb script. I've always known my scripts weren't all that secure... but this was ridiculous.

Then suddenly I figured it out, it's soo simple. Thus I thought I'd share it with you so that no one else makes my silly mistake.

I kept the admin password/username in a textfile in the folder tree of the script... no problem if no one knows the folder name and they can't surf your site's tree freely (placing index.html in all folders)

But my error... I had 2 small images in the script for email and sites... and well... click on image/properties and you know the name of the folder where it's from. Once he knew that... it was easy to find the textfile with the passwords.

Thus conclusion... don't keep your images next to your passwords! hehe

I'm testing new versions of the scripts now, in case I am wrong and that's not how it was done... one of these days I'll start using .htaccess :P
User avatar
llimllib
Moderator
Posts: 466
Joined: Mon Jul 01, 2002 2:19 pm
Location: Baltimore, MD

Post by llimllib »

Code: Select all

<directory /images>
    Order deny, allow
    Deny from all
</directory>
User avatar
RandomEngy
Forum Contributor
Posts: 173
Joined: Wed Jun 26, 2002 3:24 pm
Contact:

Post by RandomEngy »

Just out of curiosity/ignorance, what would one do with that <directory> code?

Also, if you store the password after running it through md5(), you could put a link to that text file on your main site, and tell everyone that your password was stored there, it would still be secure. :D
User avatar
llimllib
Moderator
Posts: 466
Joined: Mon Jul 01, 2002 2:19 pm
Location: Baltimore, MD

Post by llimllib »

put it in either the .htaccess or httpd.conf, and it won't let anybody but itself use the images directory (you can change that by adding an "Allow from <somehost>" statement). Sorry i didn't 'splain my code.
lc
Forum Contributor
Posts: 188
Joined: Tue Apr 23, 2002 6:45 pm
Location: Netherlands

Post by lc »

See actually.. I figured it out yesterday... why yesterday... cause I'm stupid and just didn't see it before.

the problem in my script was basicly that you could get the admin username and password. Only if you have those, can you execute the .inc files containing all sorts of nice functions. Cause basicly the php page checks for username/password every time.

My problem was that the password/username were stored in a .inc file which could be opened in a browser.

Solution? Just place the password/username in a .php file which doesn't print them out.. voila ;)

I'm such a dunce.[/list]
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

OH Nasty!

Post by Takuma »

Bad hacker isn't he......... Not very nice.

I save my data in MySQL or PHP file because that way hackers really have to use their head :wink:
Zmodem
Forum Commoner
Posts: 84
Joined: Thu Apr 18, 2002 3:59 pm

Re: how about that hacker? ;)

Post by Zmodem »

lc wrote: Thus conclusion... don't keep your images next to your passwords! hehe
Better conclusion, don't keep your passwords in a text file in ANY directory period. It's not hard to figure out where you keep them. Why couldn't he just download your script, install it himself? ;)

Best not to keep ANY Passwords in clear text in files. Store them in a DB, encrypt them, etc etc. Moving the text file around won't save you
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

Just as a reference, don't use .inc as an extension either. Use .php. If you want to make note that a file is supposed to be .inc, then make it .inc.php

Also, for anything you don't want people to see via the web, you can move it out of the public_html/ (or www/, or whatever you call it) directory. PHPComplete is setup in such a fashion

/phpcomplete/public_html/ - main web directory, what you guys see
/phpcomplete/inc/ - my include directory, contains all the important stuff
/phpcomplete/autoInclude/ - Things I wish to autoInclude into ALL my pages.

That setup works fine for me.

And I don't have any .inc pages.
lc
Forum Contributor
Posts: 188
Joined: Tue Apr 23, 2002 6:45 pm
Location: Netherlands

Post by lc »

Well... jason things are .inc if they are executable script bits but the functions withing should only be executable when included in another page/script using include. And is very helpfull... they just shouldn't have any sort of critical data in them.
I think that's a safe rule.

Taking a .inc file which is written to be included and renaming that file to .php could be dangerous if it has functions in it which could then be executed directly, without the "parent" script.
lc
Forum Contributor
Posts: 188
Joined: Tue Apr 23, 2002 6:45 pm
Location: Netherlands

Post by lc »

Actually I had another thought... how about taking all the executable .inc script bits and naming them .php

But as added security placing all the script in it inside a

if ($PHP_SELF == "the_page_it_may_be_included_in.php"){
}

That way no one will ever be able to either read or execute the script without going through the correct path.
User avatar
sam
Forum Contributor
Posts: 217
Joined: Thu Apr 18, 2002 11:11 pm
Location: Northern California
Contact:

Post by sam »

Well see that is the beauty of llimllib's suggestion of seting a directy access to your include directory, that way noone can possable get into the inc directory and mass with stuff. Saves you from coding every include file and limiting the number of pages that can access that included file.

Cheers Sam
lc
Forum Contributor
Posts: 188
Joined: Tue Apr 23, 2002 6:45 pm
Location: Netherlands

Post by lc »

Of course and if I wass running my own server I would definitely do that... but you need telnet access to set .htaccess on other hosts... which I and many like me don't have.
User avatar
llimllib
Moderator
Posts: 466
Joined: Mon Jul 01, 2002 2:19 pm
Location: Baltimore, MD

Post by llimllib »

you only need ftp, in many cases. I currently do this on my f2o account, which is only ftp access. This depends on your admin, but he could set it up so that .htaccess didn't work no matter what, so if you have *any* access it's possible that you may have .htaccess access.
lc
Forum Contributor
Posts: 188
Joined: Tue Apr 23, 2002 6:45 pm
Location: Netherlands

Post by lc »

Nah I need telnet which I can get but costs me extra with my host... Currently I am just trying to solve everything inside php.. I'll try everything else once I can afford my own host which I can then setup with all lovely gizmoz. But I think that's years away.
User avatar
gotDNS
Forum Contributor
Posts: 217
Joined: Tue May 07, 2002 5:53 pm
Location: West Chester, PA

Post by gotDNS »

Sorry to be picky....but a "Hacker" is nothing more than a programmer. Now a "Cracker" on the other hand, is a person who breaks into systems, etc.

The PROBABLE happening:
"Hacker" used to be used correctly, until someone broke into some system, and some stupid CEO that didn't know a thing about computer found a term on line for "computer smart people"..and blamed what happened on one of them...a hacker. That is what probably started the confusion.

But never fear, I am out to save the world from the torments of mis-concieved vocabulary!

So try using the work "Cracker" next time you refer to someone that BREAKS things...you little HACKER, you.

"Hackers build things, crackers break them." -Eric S. Raymond

later on, -Brian
Post Reply