Page 1 of 1

how about that hacker? ;)

Posted: Fri Jul 26, 2002 9:24 am
by lc
Well some of you may remember I posted something a while back about someone hacking a flatfile bb script I wrote.

Since then... he/she/it also hacked my gb script. I've always known my scripts weren't all that secure... but this was ridiculous.

Then suddenly I figured it out, it's soo simple. Thus I thought I'd share it with you so that no one else makes my silly mistake.

I kept the admin password/username in a textfile in the folder tree of the script... no problem if no one knows the folder name and they can't surf your site's tree freely (placing index.html in all folders)

But my error... I had 2 small images in the script for email and sites... and well... click on image/properties and you know the name of the folder where it's from. Once he knew that... it was easy to find the textfile with the passwords.

Thus conclusion... don't keep your images next to your passwords! hehe

I'm testing new versions of the scripts now, in case I am wrong and that's not how it was done... one of these days I'll start using .htaccess :P

Posted: Fri Jul 26, 2002 9:33 am
by llimllib

Code: Select all

<directory /images>
    Order deny, allow
    Deny from all
</directory>

Posted: Fri Jul 26, 2002 9:48 am
by RandomEngy
Just out of curiosity/ignorance, what would one do with that <directory> code?

Also, if you store the password after running it through md5(), you could put a link to that text file on your main site, and tell everyone that your password was stored there, it would still be secure. :D

Posted: Fri Jul 26, 2002 10:55 am
by llimllib
put it in either the .htaccess or httpd.conf, and it won't let anybody but itself use the images directory (you can change that by adding an "Allow from <somehost>" statement). Sorry i didn't 'splain my code.

Posted: Tue Aug 06, 2002 5:44 pm
by lc
See actually.. I figured it out yesterday... why yesterday... cause I'm stupid and just didn't see it before.

the problem in my script was basicly that you could get the admin username and password. Only if you have those, can you execute the .inc files containing all sorts of nice functions. Cause basicly the php page checks for username/password every time.

My problem was that the password/username were stored in a .inc file which could be opened in a browser.

Solution? Just place the password/username in a .php file which doesn't print them out.. voila ;)

I'm such a dunce.[/list]

OH Nasty!

Posted: Fri Aug 09, 2002 3:40 pm
by Takuma
Bad hacker isn't he......... Not very nice.

I save my data in MySQL or PHP file because that way hackers really have to use their head :wink:

Re: how about that hacker? ;)

Posted: Tue Aug 13, 2002 11:57 am
by Zmodem
lc wrote: Thus conclusion... don't keep your images next to your passwords! hehe
Better conclusion, don't keep your passwords in a text file in ANY directory period. It's not hard to figure out where you keep them. Why couldn't he just download your script, install it himself? ;)

Best not to keep ANY Passwords in clear text in files. Store them in a DB, encrypt them, etc etc. Moving the text file around won't save you

Posted: Tue Aug 13, 2002 12:32 pm
by jason
Just as a reference, don't use .inc as an extension either. Use .php. If you want to make note that a file is supposed to be .inc, then make it .inc.php

Also, for anything you don't want people to see via the web, you can move it out of the public_html/ (or www/, or whatever you call it) directory. PHPComplete is setup in such a fashion

/phpcomplete/public_html/ - main web directory, what you guys see
/phpcomplete/inc/ - my include directory, contains all the important stuff
/phpcomplete/autoInclude/ - Things I wish to autoInclude into ALL my pages.

That setup works fine for me.

And I don't have any .inc pages.

Posted: Tue Aug 13, 2002 6:58 pm
by lc
Well... jason things are .inc if they are executable script bits but the functions withing should only be executable when included in another page/script using include. And is very helpfull... they just shouldn't have any sort of critical data in them.
I think that's a safe rule.

Taking a .inc file which is written to be included and renaming that file to .php could be dangerous if it has functions in it which could then be executed directly, without the "parent" script.

Posted: Wed Aug 14, 2002 8:43 pm
by lc
Actually I had another thought... how about taking all the executable .inc script bits and naming them .php

But as added security placing all the script in it inside a

if ($PHP_SELF == "the_page_it_may_be_included_in.php"){
}

That way no one will ever be able to either read or execute the script without going through the correct path.

Posted: Wed Aug 14, 2002 11:34 pm
by sam
Well see that is the beauty of llimllib's suggestion of seting a directy access to your include directory, that way noone can possable get into the inc directory and mass with stuff. Saves you from coding every include file and limiting the number of pages that can access that included file.

Cheers Sam

Posted: Thu Aug 15, 2002 9:44 am
by lc
Of course and if I wass running my own server I would definitely do that... but you need telnet access to set .htaccess on other hosts... which I and many like me don't have.

Posted: Thu Aug 15, 2002 10:11 am
by llimllib
you only need ftp, in many cases. I currently do this on my f2o account, which is only ftp access. This depends on your admin, but he could set it up so that .htaccess didn't work no matter what, so if you have *any* access it's possible that you may have .htaccess access.

Posted: Thu Aug 15, 2002 8:23 pm
by lc
Nah I need telnet which I can get but costs me extra with my host... Currently I am just trying to solve everything inside php.. I'll try everything else once I can afford my own host which I can then setup with all lovely gizmoz. But I think that's years away.

Posted: Fri Aug 16, 2002 4:40 pm
by gotDNS
Sorry to be picky....but a "Hacker" is nothing more than a programmer. Now a "Cracker" on the other hand, is a person who breaks into systems, etc.

The PROBABLE happening:
"Hacker" used to be used correctly, until someone broke into some system, and some stupid CEO that didn't know a thing about computer found a term on line for "computer smart people"..and blamed what happened on one of them...a hacker. That is what probably started the confusion.

But never fear, I am out to save the world from the torments of mis-concieved vocabulary!

So try using the work "Cracker" next time you refer to someone that BREAKS things...you little HACKER, you.

"Hackers build things, crackers break them." -Eric S. Raymond

later on, -Brian