Page 1 of 1

Have you been hacked ?

Posted: Wed Jan 21, 2004 4:56 am
by Dr Evil
Hi all,
just a quick question. Has anyone of you been hacked? If is was your code what did you do to correct it ?

Dr Evil

Posted: Wed Jan 21, 2004 6:04 am
by Straterra
I have never been hacked, because I have taken the proper procedures to secure my system.

Re: Have you been hacked ?

Posted: Wed Jan 21, 2004 7:48 am
by Roja
Dr Evil wrote:Hi all,
just a quick question. Has anyone of you been hacked? If is was your code what did you do to correct it ?

Dr Evil
While I haven't been hacked, I spend a considerable amount of time securing my system, and yes, my code.

How do you secure your code? Start by assuming that an attacker wants in, and wants as much access as possible. The first place you want to look is for anything that would give him database or admin access to the application.

Next I look at file permissions.. on a poorly configured host, with loose permissions, it may be possible for an attacker to overwrite files and have them included in your code.

I even look at include() statements, as they often have things like include($somefile). If $somefile gets set by the user, and you don't do proper variable cleaning, you may be including THEIR code.

Finally I try to reduce the dangerous system calls - things like exec(), fopen(), and so on.

Most importantly, I continue to do that, over and over again. I don't ever stop. Security is a process, not a one-time fix.

Hope that helps. :)

Posted: Wed Jan 21, 2004 8:20 am
by Dr Evil
Thanks. That sounds quite smart. I try to code as safe as possible, but can't keep wondering if I'm up to date or if I thought of it all.

This question popped in when I read this post:
viewtopic.php?t=16997

Posted: Wed Jan 21, 2004 8:24 am
by Roja
Dr Evil wrote:Thanks. That sounds quite smart. I try to code as safe as possible, but can't keep wondering if I'm up to date or if I thought of it all.
You probably havent thought of it all, and probably arent up to date.

Security is a trade-off. You are trading time spent securing the code to prevent time spent fixing what a hacker does if he gets in.

If you are spending 40 hours a week securing something that would take 2 hours to clean up, well, thats not a great tradeoff.

It sounds like you genuinely care, and try to consistently apply secure principles, and that puts you ahead of 90%* of the coding population. :)


* - Statistic from "Lies, more lies and statistics - The art of making stuff up for online forum postings".

Posted: Thu Jan 22, 2004 9:38 am
by McGruff
I haven't been hacked but I did hack the easyspace hosting provider once - entirely by accident. A folder browsing script with an "up a level" method jumped right out of the client's domain and spewed out a list of all the other sites on the (shared) host.

That was a year ago - they still haven't fixed their set up.

Posted: Thu Jan 22, 2004 9:43 am
by Roja
McGruff wrote:I haven't been hacked but I did hack the easyspace hosting provider once - entirely by accident. A folder browsing script with an "up a level" method jumped right out of the client's domain and spewed out a list of all the other sites on the (shared) host.

That was a year ago - they still haven't fixed their set up.
Thats not neccesarily insecure.

Its non-optimal, and it definitely leaves room for bad things to happen, however, its not in-and-of-itself insecure.

Basically, its not chrooting users. If you setup your scripts properly, and have your sensitive information in files that either arent viewable by the webserver, OR, store sensitive information outside of the main web folders, then you should be able to avoid any security issues.

That being said, from your description, they dont use seperate web/non-web trees, and a number of scripts MUST have sensitive information in files viewable by the webserver user. So, yeah, it's probably insecure.. but not for sure.

*I* certainly wouldnt host there.. :)

Posted: Thu Jan 22, 2004 9:55 am
by microthick
I know there are a few developers here that code insecure login systems.

I've gotten admin access on a few of them using simple SQL injection.

I don't trust my code...

Posted: Tue Jan 27, 2004 3:24 am
by jimbothegrey
We use an engine called TotalShield from http://www.applicure.com
It seats outside the Apache/PHP and filters anything that can go wrong...

This is really nice addon... saves a lot of time...
They are also answering fast to questions/requests.

Cheers.