Page 1 of 1

Stress From Outsourced Work

Posted: Thu May 03, 2012 12:50 pm
by dcblair
Hi all. I think I need some serious help. I went on one of those freelance sites and got someone to build a site for me. I spent hundreds of dollars for the site. After I got it, I decided to use w3af to scan my site to see if it was vulnerable to anythings. Lo and behold it was vulnerable to XSS, XSRF, REDOS. I identified three (3) PHP files which had these issues. What can I do to remove these vulnerabilities? If so, can someone please show me how? I have included the code in one of these files in hopes that it can be fixed. Thanks.

Code: Select all

<?php include "include/top_header.php"; ?>

<div class="middlePartArea">
                	<div class="middleLeftPart">
                      
                     <?php /*?> <?php include "include/banner.php"; ?><?php */?>
                        <div class="middleNavigationPart"> 
                        <?php 
						if(isset($com_msg) && $com_msg == 'Thanks! for registration'){
						?>
                        <div style="color:#5d9b0d; font:bold 13px/22px Arial, Helvetica, sans-serif;">
							<?php echo isset($com_msg) ? $com_msg : '';?> </div>
                        <?php /*?><?php if(isset($_REQUEST['applysubmit']) && $_REQUEST['applysubmit'] == 'submit'){?> <?php */?>
                         <?php }else{?>
                        	<div style="color:#FF0000; font:bold 13px/22px Arial, Helvetica, sans-serif;">
							<?php echo isset($com_msg) ? $com_msg : '';?> </div>  
                            <?php }?>   
							<form action="comregins.php" method="post" enctype="multipart/form-data" onSubmit="return com_valid();">
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Company Name:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_name" id="com_name" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt">Image:</div>
                                <div class="secformAreaFeild"><input name="com_image" type="file" id="image" size="33">
                               </div>
                             </div>
                            
                              <div class="secformArea">
                             	<div class="secformAreaTxt">Website Address:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_website" id="com_website" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                              <div class="secformArea">
                             	<div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Category:</div>
                               <?php
							    $cat_sql = 'select * from baby_categories';
								$cat_query = mysql_query($cat_sql);
								?>
                                <div class="secformAreaFeild">
                                <select name="com_cat" id="com_cat" class="secformAreaTxtlistvalue">
                                <option value="">Select Caretype</option>
                                 <?php while($cat_rows = mysql_fetch_array($cat_query)){?>
                                <option value="<?php echo $cat_rows['cat_id'];?>"><?php echo $cat_rows['cat_name'];?></option>
                                <?php }?>
                                </select>
                                </div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt">Sub Category:</div>
                                <div class="secformAreaFeild" id="com_subCatList">
                                
                                </div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Rate Type:</div>
                                <div class="secformAreaFeild">
                                			<select name="com_ratetype" id="com_ratetype" class="secformAreaTxtlistvalue">
                             				<option value="">Select Type</option>
                                            <option value="hours">Hours</option>
                                            <option value="daily">Daily</option>
                                            <option value="weekly">Weekly</option>
                                            <option value="monthly">Monthly</option>
                                            <option value="yearly">Yearly</option>
                                            </select>
                               </div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt"><span style="color:#FF0000;">*</span>Rate Amount:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_rateamount" id="com_rateamount" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt">Year of Experience:</div>
                                <div class="secformAreaFeild"><input type="text" name="com_exp" id="com_exp" class="secformAreaFeildtxtValue" ></div>
                             </div>
                             
                             <div class="secformArea">
                             <div class="secformAreaTxt">Establish Date:</div>
                             	<div class="secformAreaFeild">
                                <select name="dob_year" id="dob_year" class="liDateValue list3" style="margin:0 13px 0 0;">
                                <option value="">Year</option>
                                <?php 
                                for($i=2014;$i>=1950;$i--){
                                ?>
                                <option value="<?php echo $i;?>"><?php echo $i;?></option>
                                <?php }?>
                                </select>
                                <select name="dob_month" id="dob_month" class="liDateValue list3" style="margin:0 13px 0 0;">
                                <option value="">Month</option>
                                <?php 
                                $month = array('January','February','March','April','May','June','July','August','September','October','November','December');
                                $i = 1;
                                foreach($month as $val){
                                ?>
                                <option value="<?php echo $i;?>"><?php echo $val;?></option>
                                <?php 
                                $i++;
                                }?>
                                </select>
                                <select name="dob_date" id="dob_date" class="liDateValue list3">
                                <option value="">Date</option>
                                <?php 
                                for($i=1;$i<=31;$i++){
                                ?>
                                <option value="<?php echo $i;?>"><?php echo $i;?></option>
                                <?php }?>
                                </select>
                                </div>
                             </div>
                             
                             <div class="secformArea">
                             	<div class="secformAreaTxt"><span style="color:#FF0000;">*</span>About Company:</div>
                                <div class="secformAreaFeild"><textarea name="com_aboutyourself" id="com_aboutyourself" class="secformAreaTxtAreavalue"></textarea></div>
                             </div>
                             
                             
                             <input type="hidden" name="com_uname" value="<?php echo $_REQUEST['com_uname'];?>">
                             <input type="hidden" name="com_pwd" value="<?php echo $_REQUEST['com_pwd'];?>">
                             <input type="hidden" name="com_email" value="<?php echo $_REQUEST['com_email'];?>">
                  			 <input type="hidden" name="com_contact" value="<?php echo $_REQUEST['com_contact'];?>">
 							 <input type="hidden" name="com_street" value="<?php echo $_REQUEST['com_street'];?>">
                             <input type="hidden" name="com_parish_name" value="<?php echo $_REQUEST['com_parish_name'];?>">
                            							
                             <div class="sbtninform">
                               <input type="submit" name="comregsubmit" value="Submit" class="sbtninformValue" >
                             </div>
                             </form>    
							<?php /*?><?php }else{
							echo 'Premilinary Registration is Required!';
							}?><?php */?>
                        </div>
                    </div>
                    <?php include "include/google_panel.php"; ?> 
                </div>
            </div>
        </div>
		<div class="bottomInnerPartBg"></div> 
	</div>
   
   <div id="fundotransparente3"></div>
<div id="website3" style="z-index:99; position:fixed; *position:absolute; width:370px; display:none; background:#FFCC00; border:3px solid #000;">
    <div class="login-panel2">
     <div id="message" class="inputBox1"></div>
        <form action="" method="post" class="login-form2">
            <h2>Profile Info</h2>
            <div><?php echo $family_row['family_email'];?></div>
            <div><input name="fam_contact" id="fam_contact" type="text" value="<?php echo $family_row['family_contactno'];?>" class="login-input"  onblur="if(this.value=='') this.value='Contact No'" onfocus="if(this.value=='password') this.value=''"/></div>
            <div><input name="fam_fname" id="fam_fname" type="text" value="<?php echo $family_row['family_fname'];?>" class="login-input"  onblur="if(this.value=='') this.value='FirstName'" onfocus="if(this.value=='FirstName') this.value=''"  /></div>
            <div><input name="fam_lname" id="fam_lname" type="text" value="<?php echo $family_row['family_lname'];?>" class="login-input"  onblur="if(this.value=='') this.value='LastName'" onfocus="if(this.value=='LastName') this.value=''"  /></div>
            <div><input name="fam_streetname" id="fam_streetname" type="text" value="<?php echo $family_row['family_streetname'];?>" class="login-input"  onblur="if(this.value=='') this.value='StreetName'" onfocus="if(this.value=='StreetName') this.value=''"  /></div>
            <div><input name="fam_parish" id="fam_parish" type="text" value="<?php echo $family_row['family_parish'];?>" class="login-input"  onblur="if(this.value=='') this.value='ParishName'" onfocus="if(this.value=='ParishName') this.value=''"  /></div>
            <div><input name="fam_number" id="fam_number" type="text" value="<?php echo $family_row['family_number'];?>" class="login-input"  onblur="if(this.value=='') this.value='Children Number'" onfocus="if(this.value=='Phone Number') this.value=''"  /></div>
            <input type="hidden" name="familyid" id="familyid" value="<?php echo $family_row['family_id'];?>">
            <div><input name="editfamilysubmit" type="submit" value="Submit" class="login-button" /> 
            </div>
        </form>
    </div>
<img src="images/close.png" border="0" style=" display: inline; z-index: 3200; position: absolute; top:10px; left:10px; cursor: pointer;">
</div>
 
 <div id="website4" style="z-index:99; position:fixed; *position:absolute; width:370px; display:none; background:#FFCC00; border:3px solid #000;">
    <div class="login-panel2">
    <div id="message" class="inputBox1"></div>
        <form action="" method="post" class="login-form2">
            <h2>Profile Info</h2>
            
            <div><input name="Sit_fname" id="Sit_fname" type="text" value="<?php echo $sitter_row['sitter_fname'];?>" class="login-input"  onblur="if(this.value=='') this.value='FirstName'" onfocus="if(this.value=='FirstName') this.value=''"  /></div>
            <div><input name="sit_lname" id="sit_lname" type="text" value="<?php echo $sitter_row['sitter_lname'];?>" class="login-input"  onblur="if(this.value=='') this.value='LastName'" onfocus="if(this.value=='LastName') this.value=''"  /></div>
            <div><?php echo $sitter_row['sitter_email'];?></div>
            <div><input name="sit_street" id="sit_street" type="text" value="<?php echo $sitter_row['sitter_streetname'];?>" class="login-input"  onblur="if(this.value=='') this.value='StreetName'" onfocus="if(this.value=='StreetName') this.value=''"  /></div>
            <div><input name="sit_city" id="sit_city" type="text" value="<?php echo $sitter_row['sitter_city'];?>" class="login-input"  onblur="if(this.value=='') this.value='City'" onfocus="if(this.value=='City') this.value=''"/></div>
            <div><input name="sit_phno" id="sit_phno" type="text" value="<?php echo $sitter_row['sitter_contactno'];?>" class="login-input"  onblur="if(this.value=='') this.value='Phone Number'" onfocus="if(this.value=='Phone Number') this.value=''"  /></div>
            <div><input name="sit_exp" id="sit_exp" type="text" value="<?php echo $sitter_row['sitter_exp'];?>" class="login-input"  onblur="if(this.value=='') this.value='Experience'" onfocus="if(this.value=='Experience') this.value=''"  /></div>
            <div><input name="sit_certf" id="sit_certf" type="text" value="<?php echo $sitter_row['sitter_certification'];?>" class="login-input"  onblur="if(this.value=='') this.value='Certification'" onfocus="if(this.value=='Certification') this.value=''"  /></div>
            <div><input name="sit_qualf" id="sit_qualf" type="text" value="<?php echo $sitter_row['sitter_qualification'];?>" class="login-input"  onblur="if(this.value=='') this.value='Qualification'" onfocus="if(this.value=='Qualification') this.value=''"  /></div>
            <div><input name="sit_lang" id="sit_lang" type="text" value="<?php echo $sitter_row['sitter_language'];?>" class="login-input"  onblur="if(this.value=='') this.value='Language Known'" onfocus="if(this.value=='Language Known') this.value=''"  /></div>
            <div><input name="sit_rate" id="sit_rate" type="text" value="<?php echo $sitter_row['sitter_rate'];?>" class="login-input"  onblur="if(this.value=='') this.value='Rate'" onfocus="if(this.value=='Rate') this.value=''"  /></div>
            <div><select name="sit_cat" id="sit_cat">
            	<option value="">select category</option>
                <?php while($cat_rows=mysql_fetch_array($cat_query)){ ?>
        <option value="<?php echo $cat_rows['cat_id']; ?>" <?php if($cat_rows['cat_id']==$sitter_row['cat_id']){ echo "selected"; }else{} ?>><?php echo $cat_rows['cat_name']; ?></option>
        <?php } ?>
            	</select></div>
            <div><input name="sit_parish" id="sit_parish" type="text" value="<?php echo $sitter_row['sitter_parish'];?>" class="login-input"  onblur="if(this.value=='') this.value='ParishName'" onfocus="if(this.value=='ParishName') this.value=''"  /></div>
            <input type="hidden" name="sitterid" id="sitterid" value="<?php echo $sitter_row['sitter_id'];?>">
            <div><input name="editsittersubmit" type="submit" value="Submit" class="login-button" /> 
            </div>
        </form>
    </div>
<img src="images/close.png" border="0" style=" display: inline; z-index: 3200; position: absolute; top:10px; left:10px; cursor: pointer;">
</div>
 
 
<script type="text/javascript">
$(document).ready(function(){
	$('#com_cat').change(function(){
		var catID = $(this).val();
		var dataString = 'cate_id='+catID;
		//alert(dataString);
		$.ajax({
			type : 'GET',
			url  : 'comreg_ajax.php',
			dataType : 'html',
			data : dataString,
			success : function(data){
				$('#com_subCatList').html(data);
			}
		});
	});
});
</script>   
    
<?php include "include/footer.php"; ?>

Re: Stress From Outsourced Work

Posted: Thu May 03, 2012 1:42 pm
by Benjamin
Well one thing is for sure, you certainly got what you paid for.

Re: Stress From Outsourced Work

Posted: Thu May 03, 2012 2:27 pm
by dcblair
Trust me. I expected that with the amount of money spent it would have at least been more secure. The site looks good but it is just totally unsecure.

Re: Stress From Outsourced Work

Posted: Thu May 03, 2012 3:24 pm
by pickle
That was his point. Spending <i>only</i> hundreds of dollars on a site doesn't get you much. It sounds (and is) like a lot of money, but for a good quality (both design, functionality, and security) site you need to spend thousands.

Back to your original question - we have no idea what those vulnerabilities are, or where they're located. Doing a full security audit & repair is something you should hire a company for.

Long story short - you're probably going to need to spend more money to get a secure site.

Re: Stress From Outsourced Work

Posted: Thu May 03, 2012 4:06 pm
by mikosiko
well... you can contact Mordred one of the security gurus around here... and see if you can workout something with him

you can PM him or visit his website http://www.logris.org/security/

Re: Stress From Outsourced Work

Posted: Thu May 03, 2012 4:12 pm
by dcblair
Thanks Pickle and Mikosiko

Re: Stress From Outsourced Work

Posted: Fri May 04, 2012 2:39 am
by Mordred
From the snippet shown here I can only extrapolate how bad things are elsewhere (as Benjamin said, you certainly got what you paid for): The code doesn't do much, so I can't comment on the database access for example, but it has multiple XSS with zero effort to protect against it so I guess it's that bad elsewhere as well.

What you should have done is demand a "guarantee" for the code security (every freelancer will happily announce he writes fast and secure code, let them live up to it) and then hire a security consultant and delay payment until all security problems are cleared. What would you say are your minimum security goals for the site?

Re: Stress From Outsourced Work

Posted: Fri May 04, 2012 9:30 am
by x_mutatis_mutandis_x
Also, next time when you hire a freelancer make sure you interiew him/her. If he/she has used OOP methodologies/framework before, if he/she is aware of form-validations, SQL injections, XSS vurnerability, magic quotes etc. and how would he/she would develop/debug the code to make sure proper security measures are taken, if they have done any unit testing, and have any test cases properly documented for you to verify. And I agree with Mordred, do not pay them until their work is satisfactory to your standards (remember you are the boss here).

Re: Stress From Outsourced Work

Posted: Fri May 04, 2012 4:10 pm
by dcblair
Yea, I certainly leanrt from this mistake. I foolishly paid the guy already :oops: and he claims he does not know how to make it anymore secure and was even looking to me for advise on how to make it secure :crazy:

I certainly got what I paid for. Hopefully, I can get these issues sorted out before I take it live.