Page 1 of 1

Finding vulnerabilities in code?

Posted: Tue Jul 14, 2009 6:16 pm
by Mattachoo
My brother works for a company as a graphic designer. A few years ago, I helped him out with the website by doing the PHP for it so he could add new information dynamically using PHP instead of uploading a new HTML file via FTP (The site gets updated almost every day).
He got an email today from the host that a phishing site had been installed on the server. The page looked like a legit log-in screen for a bank, but it stole you information instead. He now needs to go back through and look at the code on the site to find the vulnerability that allowed this malicious user to place this malicious code on the site in the first place.

Now I made this site a while ago, and didn't know anything about security much then and don't know too much about it now either. So my question to you guys is, what should I look for? Where might this vulnerability be? Would it be only when I submit forms, or when a form has someone upload information from their harddrive to the server? What might these people have been able to exploit?

Keep in mind the malicious user was able to create a whole directory and upload these scripts to that directory. Any help pointing me in the right direction would be helpful. What to look for, how someone might do this, etc.

Thanks for the help.

Re: Finding vulnerabilities in code?

Posted: Wed Jul 15, 2009 4:46 pm
by Darhazer
If you are allowing a file upload, that's the first point to check. If a user can upload single PHP / some CGI script, that he can do anything!l

If you use eval() or you are including pages, which names are passed in the request (index.php?page=news) that's also a point you have to secure.

You have to check every line that deals with the database to ensure there is no SQL injection vulnerability, but probably this is not connected with the uploaded file (or do you store images in the database?) so this is the second stage.

You have to sanitize all output also to clear XSS vulnerabilities. But most important is to identify where file came from, so first check your file uploads.

Re: Finding vulnerabilities in code?

Posted: Thu Jul 16, 2009 1:27 am
by matthijs
What scripts do you have on his site? Have you used any third party scripts (like a form script or cms)? What scripts have you written yourself?

What Darhazer said. A single unfiltered/unescaped variable can be enough to allow a malicious person to do harm.

But you also have to consider the security of your own computer. It's also possible you got infected with a keylogger or something and your ftp-credentials or server login details have been stolen