Page 1 of 2
Securing My website even more than it is
Posted: Wed Sep 03, 2008 12:57 pm
by QuickSnail
Alrighty..
Lets start with what I'm working with..
I have user inputs. You must log in to post anything.
The user inputs are being filtered with this:
Code: Select all
$fix1=str_ireplace("javascript", "-", $info);
$fix2=str_ireplace("mysql", "..", $fix1);
$fix3=str_ireplace("mysqli", "..", $fix2);
$fix4=str_ireplace("connect", "..", $fix3);
$fix5=str_ireplace("query", "..", $fix4);
$fix6=str_ireplace("[b]", "<b>", $fix5);
$fix6_1=str_ireplace("[/b]", "</b>", $fix6);
$fix7=str_ireplace("[i]", "<i>", $fix6_1);
$fix7_1=str_ireplace("[/i]", "</i>", $fix7);
$fix8=str_ireplace("[p]", "<p>", $fix7_1);
$fix8_1=str_ireplace("[/p]", "</p>", $fix8);
$fix9=str_ireplace("[break]", "<br />", $fix8_1);
$fix10=str_ireplace("$_session", "..", $fix9);
$fix11=str_ireplace("$user_id", "..", $fix10);
$fix12=str_ireplace("array (", "..", $fix11);
$fix13=str_ireplace("mail(", "..", $fix12);
$fix14=str_ireplace("$id", "..", $fix13);
$fix15=str_ireplace("submit", "..", $fix14);
$fix16=str_ireplace("<form", "..", $fix15);
$fix17=str_ireplace(".php", "..", $fix16);
$fix18=str_ireplace(".cfm", "..", $fix17);
$fix19=str_ireplace(".asp", "-", $fix18);
$fix20=str_ireplace("/?", "..", $fix19);
$final=$fix20;
I have a few things disabled in my php.ini
disable_functions = fopen,popen,file,exec,rmdir,set_time_limit,filepro,filepro_retrieve,filepro_rowcount,highlight_file,system
I am storing users ip's every time they log in if it changes they must re-log in.
On log out I am using session_destroy(); Not just setting the session details to nothing aka unset them. (unset $_session['*']
What else do you suggest I do to secure my website?
I have tested php on the user input and it seems to NOT run the php but send the code to the browser hidden..? it's there it just doesn't show almost like it's in an HTML hidden input tag.
So I'm unsure on how that is working that way But I like it Haha...
But anyway.
Obviously the data is being stored within a Database.
That is MySQL 5.0.
Users have a profile so I am allowing Css and some html.
Should I user html entities and list every html I am allowing? so it filters the others?
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 1:12 pm
by andyhoneycutt
I'm not entirely sure what the data is that you're filtering, or what system it belongs to. Generally I make sure to escape all data that any user enters and properly destroy sessions for security as far as the database goes as well as "permissions". You could take it a step further and write a custom session handler to store sessions in a database if you wish to rule out session hijacking.
-Andy
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 1:48 pm
by QuickSnail
Yes I would like to rule out SID hijacking. What do you mean a custom session handler? Storing SID's with ID#'s and IP's?
If all three do not match Re-log in?
Also As far as making sure SID's are properly destroyed Does session_destroy(); Do that? or should I add more to the process.
Some data will include ( " ' = - _ ` ~ > < ? ! @ # $ % ^ & * [A-Z][a-z][0-9].
So pretty much everything.. Ha..
I'm running everything on a Windows Xp.
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 1:51 pm
by andyhoneycutt
If you're on a shared-host set-up, rewriting your session handlers to dump to a database is considered another layer of security. The problem being that session data is stored in a more-or-less open to the world area on the machine.
I wouldn't worry about it if you're running on a stand-alone system that you admin.
I'm still curious as to what it is you're doing with all the i_replacing. What type of application are you building?
-Andy
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 2:07 pm
by QuickSnail
Well It's still under wrap so I can't tell you exactly.
But I can tell you that users have profiles, friends, photos and such.
Involves CSS and HTML. No other languages are allowed. You could probably have a good guess from that little info.
But anyway.
I admin my own server.
How could you find out if the SID's stored location is open or not?
In other words where are SID's stored normally on a windows xp, php 5, Apache 2.0 machine?
Also Do you suggest disabling any other functions in my php.ini?
Also whats are the best ways of stopping Cross site coding.
I plan on filtering links to a custom page that will ask the user if they are sure if they want to go to that site and that it will log them out by destroying there session of course.
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 2:22 pm
by andyhoneycutt
I couldn't tell you much about php/apache or iis under windows, and am not very keen on the topic of security of those systems. I would check the documentation for your web server application and read up on PHP to determine what types of vulnerabilities you face.
If your server is stand-alone then really all you should need worry about as far as session data goes is what you would normally worry about: have a decent firewall in place and keep current with all security topics related to running your particular brand of server.
-Andy
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 3:29 pm
by QuickSnail
O.k.
Thanks for the info

Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 3:55 pm
by Mordred
This is wrong both in theory and in practice.
You should escape the input values according to the context they will be used in - htmlspecialchars for HTML output (to prevent XSS), mysql_real_escape_string for mysql_query (to prevent SQL injection) and so on. This is all it takes to ensure that:
1. You preserve all characters in their original form...
2. ... and yet you are safe from injection attacks
This is where your approach is wrong in theory.
In practice, some lesser techniques, like str_replace, can be made to work correctly against injection, at the price of reduced freedom in the user input, more ugly and complex code, and therefore more chances of making a mistake.
The posted code, though, is not one of these less-successful cases, instead it is plain wrong.
First, it doesn't protect against any particular vulnerability, instead it's a mixture of functionality (bbcode conversion) and security theater (i.e. security measures which are only for the show).
Second, it has bugs in it, like the double quotes side effects - have you tried passing the string "Array" (after session_start() ) through this?
Third, the real attacks will pass this with flying banners, if you haven't done proper escaping; if you have proper escaping, this code becomes superfluous.
It seems that you are not aware of the kinds of attacks one can expect - what's wrong with the string ".asp" for example? Or the words "submit", "connect" and "mysql", or the number - say - 1? All of these will get broken by your code. In fact it should be so obvious, that it appears it hasn't really been tested at all.
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 4:06 pm
by omniuni
I am curious, though, about your choice of Operating System.
If security is such a large issue, if I were you I would be far more concerned with the vulnerabilities of your system itself. Windows XP is nearing the end of its supported life, and even in the very best of circumstances, it has only "good" security. If you truly want your system secure from the ground up, I would recommend looking into something like Ubuntu Server LTS, CentOS, or RedHat Linux. By default, these distributions are both easy to install and setup, as well as secure against most types of attacks that target firewalls, services, and/or attempt to install or run software on the machine.
Beyond security, I would be concerned about the stability and portability of your web application on a Microsoft box. While PHP is certainly a better choice than ASP (in my opinion), you will still have to reboot frequently (for a server, probably once or twice a week or so), and your files will be stored in some odd places than a cleanly set up Linux box.
Also, on the topic of Firewalls, I strongly recommend Comodo Firewall, it's free, but it works just great.
Of course, all of this is just my opinion, so take it for what it's worth.
Best of Luck,
OmniUni
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 4:29 pm
by QuickSnail
Well all of that code has been tested. But only by yours truly.
I am only a php developer of about 1 year now. So I do not have any where near massive knowledge on php.
Also I have considered dropping xp and picking up Linux and a distribution like red hat. I didn't think it would matter that much. But it seems that it does.
Although Now that I think about it.. It would make sense that choosing something like Red Hat would be some what safer than windows because more people I would assume use windows over Linux.
Drop xp
Linux Red hat
Comodo firewall.. Alrighty (I'm taking notes in my notebook)
What exactly does mysql_real_escape_string Do?
Also does that apply to mysqli Because that is what I am using.
htmlspecialchars now Take in mind that I am allowing some html such as <img> and such.
I was trying to stop some attacks that I could think of. Which obviously isn't a lot.
Oh Also I should mention that I have Safe_mode turned ON.
Thank you for the help you are giving me. It's all greatly appreciated.
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 4:41 pm
by Mordred
mysqli_real_escape_string()
http://www.logris.org/security/the-unex ... -injection
(Check the reference section at the bottom for the beginner papers on SQL injection)
http://htmlpurifier.org for dealinth with allowing only *some* HTML tags.
Use htmlspecialchars() for the areas that you don't want *any* HTML - like usernames etc.
This is not the place to discuss OS-level security - we are experts in PHP, not OSes. Even if the advises here happen to be well-educated, you will get better information at fora specialising in OS security.
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 5:17 pm
by QuickSnail
Alright. Thank you.
So htmlspecialchars() for NO HTML what so ever.
As for the HTML Purifier, It says it only works with PHP 5.0 which is fine. I'm using that. I take it that it works on any OS? I don't see it telling me otherwise.
Also How in the world am I suppose to install this thing?!
I downloaded the .Zip I seem to understand that you require it. Then call the function.
Does this mean I drop ALL of these files in my Http:// directive folder? aka ./ of the host.
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 5:22 pm
by omniuni
@Quick Snail: Comodo Firewall is for Windows, Linux comes with a rather secure one built on (And you can tweak it if you need additional security)
@Mordred: It's true, this is a PHP forum, not an OS forum, but this was a broad topic about creating a situation with maximal security. As such, I felt it was pertinent to mention the OS. It's not that Windows can't be secured, it can, but my opinion is that it is easier to create a secure web hosting environment on a *nix based system. I never stated it as an absolute, it is my opinion only.
In general, I think you're on a good track, but I agree with the comment above that using a WYSIWYG editor like TinyMCE would help with keeping code clean; even if you just run it in HTML editing mode, so you still code everything, it has a built in code cleaner that should help when people click "Submit".
Good Luck!
Re: Securing My website even more than it is
Posted: Wed Sep 03, 2008 5:39 pm
by QuickSnail
Maybe switching to Linux would be a good idea.
I also have wanted to use sendmail for mail() but of course couldn't. I know there is other ways but I see a lot of them as rather huge massive processes..
But yes. If someone could give me a clue or a little help on using HTML purifier 3.1.1 I looked over there forum and I don't see an answer.. I feel sorta dumb haha.. I see a .htacess in some of the folders. Am I right on assuming you drop all the folders and files in your Doc root?
Re: Securing My website even more than it is
Posted: Fri Sep 05, 2008 2:16 pm
by QuickSnail
New question same subject:
In php.ini Should I set the session.save_path to something that isn't in my www/ folder? (where the .com is located)
So that it isn't accessible by web or would that render the sessions unusable?
Also should I change the session.name? which is used for cookie names. Right now it's at the default 'PHPSESSID'.