Stress From Outsourced Work

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
dcblair
Forum Newbie
Posts: 4
Joined: Thu May 03, 2012 12:45 pm

Stress From Outsourced Work

Post by dcblair »

Hi all. I think I need some serious help. I went on one of those freelance sites and got someone to build a site for me. I spent hundreds of dollars for the site. After I got it, I decided to use w3af to scan my site to see if it was vulnerable to anythings. Lo and behold it was vulnerable to XSS, XSRF, REDOS. I identified three (3) PHP files which had these issues. What can I do to remove these vulnerabilities? If so, can someone please show me how? I have included the code in one of these files in hopes that it can be fixed. Thanks.

Code: Select all

<?php include "include/top_header.php"; ?>

<div class="middlePartArea">
                	<div class="middleLeftPart">
                      
                     <?php /*?> <?php include "include/banner.php"; ?><?php */?>
                        <div class="middleNavigationPart"> 
                        <?php 
						if(isset($com_msg) && $com_msg == 'Thanks! for registration'){
						?>
                        <div style="color:#5d9b0d; font:bold 13px/22px Arial, Helvetica, sans-serif;">
							<?php echo isset($com_msg) ? $com_msg : '';?> </div>
                        <?php /*?><?php if(isset($_REQUEST['applysubmit']) && $_REQUEST['applysubmit'] == 'submit'){?> <?php */?>
                         <?php }else{?>
                        	<div style="color:#FF0000; font:bold 13px/22px Arial, Helvetica, sans-serif;">
							<?php echo isset($com_msg) ? $com_msg : '';?> </div>  
                            <?php }?>   
							<form action="comregins.php" method="post" enctype="multipart/form-data" onSubmit="return com_valid();">
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Company Name:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_name" id="com_name" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt">Image:</div>
                                <div class="secformAreaFeild"><input name="com_image" type="file" id="image" size="33">
                               </div>
                             </div>
                            
                              <div class="secformArea">
                             	<div class="secformAreaTxt">Website Address:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_website" id="com_website" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                              <div class="secformArea">
                             	<div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Category:</div>
                               <?php
							    $cat_sql = 'select * from baby_categories';
								$cat_query = mysql_query($cat_sql);
								?>
                                <div class="secformAreaFeild">
                                <select name="com_cat" id="com_cat" class="secformAreaTxtlistvalue">
                                <option value="">Select Caretype</option>
                                 <?php while($cat_rows = mysql_fetch_array($cat_query)){?>
                                <option value="<?php echo $cat_rows['cat_id'];?>"><?php echo $cat_rows['cat_name'];?></option>
                                <?php }?>
                                </select>
                                </div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt">Sub Category:</div>
                                <div class="secformAreaFeild" id="com_subCatList">
                                
                                </div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Rate Type:</div>
                                <div class="secformAreaFeild">
                                			<select name="com_ratetype" id="com_ratetype" class="secformAreaTxtlistvalue">
                             				<option value="">Select Type</option>
                                            <option value="hours">Hours</option>
                                            <option value="daily">Daily</option>
                                            <option value="weekly">Weekly</option>
                                            <option value="monthly">Monthly</option>
                                            <option value="yearly">Yearly</option>
                                            </select>
                               </div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Rate Amount:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_rateamount" id="com_rateamount" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt">Year of Experience:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_exp" id="com_exp" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                             <div class="secformArea">
                             <div class="secformAreaTxt">Establish Date:</div>
                             	<div class="secformAreaFeild">
                                <select name="dob_year" id="dob_year" class="liDateValue list3" style="margin:0 13px 0 0;">
                                <option value="">Year</option>
                                <?php 
                                for($i=2014;$i>=1950;$i--){
                                ?>
                                <option value="<?php echo $i;?>"><?php echo $i;?></option>
                                <?php }?>
                                </select>
                                <select name="dob_month" id="dob_month" class="liDateValue list3" style="margin:0 13px 0 0;">
                                <option value="">Month</option>
                                <?php 
                                $month = array('January','February','March','April','May','June','July','August','September','October','November','December');
                                $i = 1;
                                foreach($month as $val){
                                ?>
                                <option value="<?php echo $i;?>"><?php echo $val;?></option>
                                <?php 
                                $i++;
                                }?>
                                </select>
                                <select name="dob_date" id="dob_date" class="liDateValue list3">
                                <option value="">Date</option>
                                <?php 
                                for($i=1;$i<=31;$i++){
                                ?>
                                <option value="<?php echo $i;?>"><?php echo $i;?></option>
                                <?php }?>
                                </select>
                                </div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt"><span style="color:#FF0000;">*</span>About Company:</div>
                                <div class="secformAreaFeild"><textarea name="com_aboutyourself" id="com_aboutyourself" class="secformAreaTxtAreavalue"></textarea></div>
                             </div>
                             
                             
                             <input type="hidden" name="com_uname" value="<?php echo $_REQUEST['com_uname'];?>">
                             <input type="hidden" name="com_pwd" value="<?php echo $_REQUEST['com_pwd'];?>">
                             <input type="hidden" name="com_email" value="<?php echo $_REQUEST['com_email'];?>">
                  			 <input type="hidden" name="com_contact" value="<?php echo $_REQUEST['com_contact'];?>">
 							 <input type="hidden" name="com_street" value="<?php echo $_REQUEST['com_street'];?>">
                             <input type="hidden" name="com_parish_name" value="<?php echo $_REQUEST['com_parish_name'];?>">
                            							
                             <div class="sbtninform">
                               <input type="submit" name="comregsubmit" value="Submit" class="sbtninformValue" >
                             </div>
                             </form>    
							<?php /*?><?php }else{
							echo 'Premilinary Registration is Required!';
							}?><?php */?>
                        </div>
                    </div>
                    <?php include "include/google_panel.php"; ?> 
                </div>
            </div>
        </div>
		<div class="bottomInnerPartBg"></div> 
	</div>
   
   <div id="fundotransparente3"></div>
<div id="website3" style="z-index:99; position:fixed; *position:absolute; width:370px; display:none; background:#FFCC00; border:3px solid #000;">
    <div class="login-panel2">
     <div id="message" class="inputBox1"></div>
        <form action="" method="post" class="login-form2">
            <h2>Profile Info</h2>
            <div><?php echo $family_row['family_email'];?></div>
            <div><input name="fam_contact" id="fam_contact" type="text" value="<?php echo $family_row['family_contactno'];?>" class="login-input"  onblur="if(this.value=='') this.value='Contact No'" onfocus="if(this.value=='password') this.value=''"/></div>
            <div><input name="fam_fname" id="fam_fname" type="text" value="<?php echo $family_row['family_fname'];?>" class="login-input"  onblur="if(this.value=='') this.value='FirstName'" onfocus="if(this.value=='FirstName') this.value=''"  /></div>
            <div><input name="fam_lname" id="fam_lname" type="text" value="<?php echo $family_row['family_lname'];?>" class="login-input"  onblur="if(this.value=='') this.value='LastName'" onfocus="if(this.value=='LastName') this.value=''"  /></div>
            <div><input name="fam_streetname" id="fam_streetname" type="text" value="<?php echo $family_row['family_streetname'];?>" class="login-input"  onblur="if(this.value=='') this.value='StreetName'" onfocus="if(this.value=='StreetName') this.value=''"  /></div>
            <div><input name="fam_parish" id="fam_parish" type="text" value="<?php echo $family_row['family_parish'];?>" class="login-input"  onblur="if(this.value=='') this.value='ParishName'" onfocus="if(this.value=='ParishName') this.value=''"  /></div>
            <div><input name="fam_number" id="fam_number" type="text" value="<?php echo $family_row['family_number'];?>" class="login-input"  onblur="if(this.value=='') this.value='Children Number'" onfocus="if(this.value=='Phone Number') this.value=''"  /></div>
            <input type="hidden" name="familyid" id="familyid" value="<?php echo $family_row['family_id'];?>">
            <div><input name="editfamilysubmit" type="submit" value="Submit" class="login-button" /> 
            </div>
        </form>
    </div>
<img src="images/close.png" border="0" style=" display: inline; z-index: 3200; position: absolute; top:10px; left:10px; cursor: pointer;">
</div>
 
 <div id="website4" style="z-index:99; position:fixed; *position:absolute; width:370px; display:none; background:#FFCC00; border:3px solid #000;">
    <div class="login-panel2">
    <div id="message" class="inputBox1"></div>
        <form action="" method="post" class="login-form2">
            <h2>Profile Info</h2>
            
            <div><input name="Sit_fname" id="Sit_fname" type="text" value="<?php echo $sitter_row['sitter_fname'];?>" class="login-input"  onblur="if(this.value=='') this.value='FirstName'" onfocus="if(this.value=='FirstName') this.value=''"  /></div>
            <div><input name="sit_lname" id="sit_lname" type="text" value="<?php echo $sitter_row['sitter_lname'];?>" class="login-input"  onblur="if(this.value=='') this.value='LastName'" onfocus="if(this.value=='LastName') this.value=''"  /></div>
            <div><?php echo $sitter_row['sitter_email'];?></div>
            <div><input name="sit_street" id="sit_street" type="text" value="<?php echo $sitter_row['sitter_streetname'];?>" class="login-input"  onblur="if(this.value=='') this.value='StreetName'" onfocus="if(this.value=='StreetName') this.value=''"  /></div>
            <div><input name="sit_city" id="sit_city" type="text" value="<?php echo $sitter_row['sitter_city'];?>" class="login-input"  onblur="if(this.value=='') this.value='City'" onfocus="if(this.value=='City') this.value=''"/></div>
            <div><input name="sit_phno" id="sit_phno" type="text" value="<?php echo $sitter_row['sitter_contactno'];?>" class="login-input"  onblur="if(this.value=='') this.value='Phone Number'" onfocus="if(this.value=='Phone Number') this.value=''"  /></div>
            <div><input name="sit_exp" id="sit_exp" type="text" value="<?php echo $sitter_row['sitter_exp'];?>" class="login-input"  onblur="if(this.value=='') this.value='Experience'" onfocus="if(this.value=='Experience') this.value=''"  /></div>
            <div><input name="sit_certf" id="sit_certf" type="text" value="<?php echo $sitter_row['sitter_certification'];?>" class="login-input"  onblur="if(this.value=='') this.value='Certification'" onfocus="if(this.value=='Certification') this.value=''"  /></div>
            <div><input name="sit_qualf" id="sit_qualf" type="text" value="<?php echo $sitter_row['sitter_qualification'];?>" class="login-input"  onblur="if(this.value=='') this.value='Qualification'" onfocus="if(this.value=='Qualification') this.value=''"  /></div>
            <div><input name="sit_lang" id="sit_lang" type="text" value="<?php echo $sitter_row['sitter_language'];?>" class="login-input"  onblur="if(this.value=='') this.value='Language Known'" onfocus="if(this.value=='Language Known') this.value=''"  /></div>
            <div><input name="sit_rate" id="sit_rate" type="text" value="<?php echo $sitter_row['sitter_rate'];?>" class="login-input"  onblur="if(this.value=='') this.value='Rate'" onfocus="if(this.value=='Rate') this.value=''"  /></div>
            <div><select name="sit_cat" id="sit_cat">
            	<option value="">select category</option>
                <?php while($cat_rows=mysql_fetch_array($cat_query)){ ?>
        <option value="<?php echo $cat_rows['cat_id']; ?>" <?php if($cat_rows['cat_id']==$sitter_row['cat_id']){ echo "selected"; }else{} ?>><?php echo $cat_rows['cat_name']; ?></option>
        <?php } ?>
            	</select></div>
            <div><input name="sit_parish" id="sit_parish" type="text" value="<?php echo $sitter_row['sitter_parish'];?>" class="login-input"  onblur="if(this.value=='') this.value='ParishName'" onfocus="if(this.value=='ParishName') this.value=''"  /></div>
            <input type="hidden" name="sitterid" id="sitterid" value="<?php echo $sitter_row['sitter_id'];?>">
            <div><input name="editsittersubmit" type="submit" value="Submit" class="login-button" /> 
            </div>
        </form>
    </div>
<img src="images/close.png" border="0" style=" display: inline; z-index: 3200; position: absolute; top:10px; left:10px; cursor: pointer;">
</div>
 
 
<script type="text/javascript">
$(document).ready(function(){
	$('#com_cat').change(function(){
		var catID = $(this).val();
		var dataString = 'cate_id='+catID;
		//alert(dataString);
		$.ajax({
			type : 'GET',
			url  : 'comreg_ajax.php',
			dataType : 'html',
			data : dataString,
			success : function(data){
				$('#com_subCatList').html(data);
			}
		});
	});
});
</script>   
    
<?php include "include/footer.php"; ?>
User avatar
Benjamin
Site Administrator
Posts: 6896
Joined: Sun May 19, 2002 10:24 pm

Re: Stress From Outsourced Work

Post by Benjamin »

Well one thing is for sure, you certainly got what you paid for.
dcblair
Forum Newbie
Posts: 4
Joined: Thu May 03, 2012 12:45 pm

Re: Stress From Outsourced Work

Post by dcblair »

Trust me. I expected that with the amount of money spent it would have at least been more secure. The site looks good but it is just totally unsecure.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Stress From Outsourced Work

Post by pickle »

That was his point. Spending <i>only</i> hundreds of dollars on a site doesn't get you much. It sounds (and is) like a lot of money, but for a good quality (both design, functionality, and security) site you need to spend thousands.

Back to your original question - we have no idea what those vulnerabilities are, or where they're located. Doing a full security audit & repair is something you should hire a company for.

Long story short - you're probably going to need to spend more money to get a secure site.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
mikosiko
Forum Regular
Posts: 757
Joined: Wed Jan 13, 2010 7:22 pm

Re: Stress From Outsourced Work

Post by mikosiko »

well... you can contact Mordred one of the security gurus around here... and see if you can workout something with him

you can PM him or visit his website http://www.logris.org/security/
dcblair
Forum Newbie
Posts: 4
Joined: Thu May 03, 2012 12:45 pm

Re: Stress From Outsourced Work

Post by dcblair »

Thanks Pickle and Mikosiko
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Stress From Outsourced Work

Post by Mordred »

From the snippet shown here I can only extrapolate how bad things are elsewhere (as Benjamin said, you certainly got what you paid for): The code doesn't do much, so I can't comment on the database access for example, but it has multiple XSS with zero effort to protect against it so I guess it's that bad elsewhere as well.

What you should have done is demand a "guarantee" for the code security (every freelancer will happily announce he writes fast and secure code, let them live up to it) and then hire a security consultant and delay payment until all security problems are cleared. What would you say are your minimum security goals for the site?
x_mutatis_mutandis_x
Forum Contributor
Posts: 160
Joined: Tue Apr 17, 2012 12:57 pm

Re: Stress From Outsourced Work

Post by x_mutatis_mutandis_x »

Also, next time when you hire a freelancer make sure you interiew him/her. If he/she has used OOP methodologies/framework before, if he/she is aware of form-validations, SQL injections, XSS vurnerability, magic quotes etc. and how would he/she would develop/debug the code to make sure proper security measures are taken, if they have done any unit testing, and have any test cases properly documented for you to verify. And I agree with Mordred, do not pay them until their work is satisfactory to your standards (remember you are the boss here).
dcblair
Forum Newbie
Posts: 4
Joined: Thu May 03, 2012 12:45 pm

Re: Stress From Outsourced Work

Post by dcblair »

Yea, I certainly leanrt from this mistake. I foolishly paid the guy already :oops: and he claims he does not know how to make it anymore secure and was even looking to me for advise on how to make it secure :crazy:

I certainly got what I paid for. Hopefully, I can get these issues sorted out before I take it live.
Post Reply