PHP Developers Network
http://forums.devnetwork.net/

Is my site secure?
http://forums.devnetwork.net/viewtopic.php?f=34&t=137381
Page 1 of 1

Author:  SohaibTheGame [ Sun Feb 10, 2013 4:24 pm ]
Post subject:  Is my site secure?

Hello, i have a PHP site

my site is 90% visual content(text,img) there's only a php registration script to a mysql db

i want to know a website can be hacked throught the visual content
i also want to know if putting direct link downloads is secure exemple here www.neoxco.com/download.php

if you want to take a look at my site www.neoxco.com

thank you for reading

Author:  mecha_godzilla [ Sun Feb 10, 2013 6:51 pm ]
Post subject:  Re: Is my site secure?

Hi,

The weak points in your site will be the registration page and the forums, but the downloadable application could be used to attack your database - it depends on whether the account information is held in the same database or mirrored to a different one. It would be possible for someone to disassemble your application and/or packet-sniff connections being made from the application to your server to learn what it's doing, so that might be worth looking at. However, assume that most script kiddies are lazy in the first instance and will go for a "quick win".

Here is some information about your server that took me 10 seconds to find out:

Syntax: [ Download ] [ Hide ]
Server: Apache/2.2.22 (Win32) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8t PHP/5.3.16 mod_wsgi/3.3 Python/2.7.2
X-Powered-By: PHP/5.3.16
 


I could use that information to search for an exploit and/or use an open proxy if I wanted to be more thorough and test for specific vulnerabilities. From my limited experience of these things, hackers seem to consistently target specific applications - in fact, I just tried accessing a common one on your server and got some information about your filesystem layout and the version of that software that you're using.

Anyway, the experts on this forum will be able to advise further :)

HTH,

Mecha Godzilla

Author:  SohaibTheGame [ Mon Feb 11, 2013 1:45 am ]
Post subject:  Re: Is my site secure?

so from what your saying
i should improve the register page codes, and remove the .exe downloads. what if u turned them to .rar?

However the Server Status can also be a problem because it has MySql access too

about the forum, what can i do?

and to sum up, are you saying that is impossible to hack a pure visual content site? where there are no access to anyting.no db, no files, only imgs.

Thank you, btw, hey dont hack, i came here to avoid that lol

Author:  social_experiment [ Mon Feb 11, 2013 4:56 am ]
Post subject:  Re: Is my site secure?


Author:  mecha_godzilla [ Mon Feb 11, 2013 3:45 pm ]
Post subject:  Re: Is my site secure?

Hi again,

Just to add to what social_experiment has said (all good advice, btw) the problem is *not necessarily* the site itself, but the way that you've set the server up. Sorry if you thought that I might be hacking your server, but all this information is freely available :) The information I got told me what software stack you are using and the file path to it on your server - these are things that are easy to hide with a correctly configured php.ini file. The information about Apache/PHP versions is also easy to hide with a correctly configured httpd.conf file.I was also able to access the set-up page for one of the web applications installed on your server - I knew about this one because I have the same version of that particular application and (by default) it's not properly secured. If you need any advice in this respect please feel free to PM me and I'd be happy to offer some suggestions.

There's no reason why offering an ".exe" file for download is inherently more secure or insecure than offering (say) a ".rar" file, and the best way to make sure your forum software is secure is by regularly updating it. You still see a lot of sites out there running very, very old versions of WordPress, osCommerce or Joomla and these are all viable targets for entry-level hackers - there are lots of hacking forums out there where these kind of exploits can be found and it doesn't exactly take long to Gxxgle(tm) "joomla 1.5 exploit" or whatever it is that they're looking for.

HTH,

M_G

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/