Moderator: General Moderators
my site is 90% visual content(text,img) there's only a php registration script to a mysql db
i want to know a website can be hacked throught the visual content
i also want to know if putting direct link downloads is secure exemple here www.neoxco.com/download.php
if you want to take a look at my site www.neoxco.com
thank you for reading
The weak points in your site will be the registration page and the forums, but the downloadable application could be used to attack your database - it depends on whether the account information is held in the same database or mirrored to a different one. It would be possible for someone to disassemble your application and/or packet-sniff connections being made from the application to your server to learn what it's doing, so that might be worth looking at. However, assume that most script kiddies are lazy in the first instance and will go for a "quick win".
Here is some information about your server that took me 10 seconds to find out:
Code: Select all
Server: Apache/2.2.22 (Win32) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8t PHP/5.3.16 mod_wsgi/3.3 Python/2.7.2 X-Powered-By: PHP/5.3.16
Anyway, the experts on this forum will be able to advise further
i should improve the register page codes, and remove the .exe downloads. what if u turned them to .rar?
However the Server Status can also be a problem because it has MySql access too
about the forum, what can i do?
and to sum up, are you saying that is impossible to hack a pure visual content site? where there are no access to anyting.no db, no files, only imgs.
Thank you, btw, hey dont hack, i came here to avoid that lol
Take a look at .htaccess for your site;
^ good point so make sure that you keep the software you are using up to date and check for any security issues there might be surrounding the specific application.mecha_godzilla wrote:hackers seem to consistently target specific applications
The weaker parts (imo) of the forum will be where a user can enter data (make posts, comments) and the query strings (data passed in the URL). Double check all data received from the query string and escape all input (mysqli_real_escape_string() or mysql_real_escape_string()) depending on your code.
try to avoid thinking in terms of 'impossible' when talking about hacking; remember that your application might not be weak spot in the security chain, it could be a exploit used on the server that houses your code, something that isn't in your control. A pure visual content site might limit the amount of attackers drawn to it but sometimes attackers will test your site just to see if it can be broken, regardless of content.SohaibTheGame wrote:and to sum up, are you saying that is impossible to hack a pure visual content site? where there are no access to anyting.no db, no files, only imgs.
Just to add to what social_experiment has said (all good advice, btw) the problem is *not necessarily* the site itself, but the way that you've set the server up. Sorry if you thought that I might be hacking your server, but all this information is freely available The information I got told me what software stack you are using and the file path to it on your server - these are things that are easy to hide with a correctly configured php.ini file. The information about Apache/PHP versions is also easy to hide with a correctly configured httpd.conf file.I was also able to access the set-up page for one of the web applications installed on your server - I knew about this one because I have the same version of that particular application and (by default) it's not properly secured. If you need any advice in this respect please feel free to PM me and I'd be happy to offer some suggestions.
There's no reason why offering an ".exe" file for download is inherently more secure or insecure than offering (say) a ".rar" file, and the best way to make sure your forum software is secure is by regularly updating it. You still see a lot of sites out there running very, very old versions of WordPress, osCommerce or Joomla and these are all viable targets for entry-level hackers - there are lots of hacking forums out there where these kind of exploits can be found and it doesn't exactly take long to Gxxgle(tm) "joomla 1.5 exploit" or whatever it is that they're looking for.