cURL Vulnerability?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Mr. Larkins
Forum Newbie
Posts: 3
Joined: Wed Jul 08, 2009 1:23 pm

cURL Vulnerability?

Post by Mr. Larkins »

Hi,

I am no expert (by far) but I have written some small PHP codes for a few websites. Nothing fancy. However, I have 2 websites in particular that get 'hacked' regularly. Seems each time, some malicious code, usually script tags, is added outside of my regular html code. I do use cURL in a few of the pages and I'm wondering if that is the avenue of my attacks. Any insight is appreciated.

here's an example of how I use it

Code: Select all

 
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "a link to another file on same server");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
?>
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: cURL Vulnerability?

Post by kaisellgren »

There's nothing wrong with the code. It's something else that opens the doors to attackers. I think some part of your application lacks of proper input handling.
Mr. Larkins
Forum Newbie
Posts: 3
Joined: Wed Jul 08, 2009 1:23 pm

Re: cURL Vulnerability?

Post by Mr. Larkins »

ok, thanks
SvanteH
Forum Commoner
Posts: 50
Joined: Wed Jul 08, 2009 12:25 am

Re: cURL Vulnerability?

Post by SvanteH »

As kaisellgren said, only *.php pages with input from the user may be the source of an attack like that. (correct me if I am wrong)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: cURL Vulnerability?

Post by kaisellgren »

That's usually the case.
Mr. Larkins
Forum Newbie
Posts: 3
Joined: Wed Jul 08, 2009 1:23 pm

Re: cURL Vulnerability?

Post by Mr. Larkins »

my forums are the only webpages with user input...and i've upgraded those to the latest version. thanks for the info
Post Reply