PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Sep 20, 2019 10:43 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Is my site secure?
PostPosted: Sun Feb 10, 2013 4:24 pm 
Offline
Forum Newbie

Joined: Sun Feb 10, 2013 4:06 pm
Posts: 2
Hello, i have a PHP site

my site is 90% visual content(text,img) there's only a php registration script to a mysql db

i want to know a website can be hacked throught the visual content
i also want to know if putting direct link downloads is secure exemple here www.neoxco.com/download.php

if you want to take a look at my site www.neoxco.com

thank you for reading


Top
 Profile  
 
 Post subject: Re: Is my site secure?
PostPosted: Sun Feb 10, 2013 6:51 pm 
Offline
Forum Contributor
User avatar

Joined: Wed Apr 14, 2010 4:45 pm
Posts: 375
Location: UK
Hi,

The weak points in your site will be the registration page and the forums, but the downloadable application could be used to attack your database - it depends on whether the account information is held in the same database or mirrored to a different one. It would be possible for someone to disassemble your application and/or packet-sniff connections being made from the application to your server to learn what it's doing, so that might be worth looking at. However, assume that most script kiddies are lazy in the first instance and will go for a "quick win".

Here is some information about your server that took me 10 seconds to find out:

Syntax: [ Download ] [ Hide ]
Server: Apache/2.2.22 (Win32) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8t PHP/5.3.16 mod_wsgi/3.3 Python/2.7.2
X-Powered-By: PHP/5.3.16
 


I could use that information to search for an exploit and/or use an open proxy if I wanted to be more thorough and test for specific vulnerabilities. From my limited experience of these things, hackers seem to consistently target specific applications - in fact, I just tried accessing a common one on your server and got some information about your filesystem layout and the version of that software that you're using.

Anyway, the experts on this forum will be able to advise further :)

HTH,

Mecha Godzilla


Top
 Profile  
 
 Post subject: Re: Is my site secure?
PostPosted: Mon Feb 11, 2013 1:45 am 
Offline
Forum Newbie

Joined: Sun Feb 10, 2013 4:06 pm
Posts: 2
so from what your saying
i should improve the register page codes, and remove the .exe downloads. what if u turned them to .rar?

However the Server Status can also be a problem because it has MySql access too

about the forum, what can i do?

and to sum up, are you saying that is impossible to hack a pure visual content site? where there are no access to anyting.no db, no files, only imgs.

Thank you, btw, hey dont hack, i came here to avoid that lol


Top
 Profile  
 
 Post subject: Re: Is my site secure?
PostPosted: Mon Feb 11, 2013 4:56 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
 Post subject: Re: Is my site secure?
PostPosted: Mon Feb 11, 2013 3:45 pm 
Offline
Forum Contributor
User avatar

Joined: Wed Apr 14, 2010 4:45 pm
Posts: 375
Location: UK
Hi again,

Just to add to what social_experiment has said (all good advice, btw) the problem is *not necessarily* the site itself, but the way that you've set the server up. Sorry if you thought that I might be hacking your server, but all this information is freely available :) The information I got told me what software stack you are using and the file path to it on your server - these are things that are easy to hide with a correctly configured php.ini file. The information about Apache/PHP versions is also easy to hide with a correctly configured httpd.conf file.I was also able to access the set-up page for one of the web applications installed on your server - I knew about this one because I have the same version of that particular application and (by default) it's not properly secured. If you need any advice in this respect please feel free to PM me and I'd be happy to offer some suggestions.

There's no reason why offering an ".exe" file for download is inherently more secure or insecure than offering (say) a ".rar" file, and the best way to make sure your forum software is secure is by regularly updating it. You still see a lot of sites out there running very, very old versions of WordPress, osCommerce or Joomla and these are all viable targets for entry-level hackers - there are lots of hacking forums out there where these kind of exploits can be found and it doesn't exactly take long to Gxxgle(tm) "joomla 1.5 exploit" or whatever it is that they're looking for.

HTH,

M_G


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group