Is my site secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
SohaibTheGame
Forum Newbie
Posts: 2
Joined: Sun Feb 10, 2013 3:06 pm

Is my site secure?

Post by SohaibTheGame »

Hello, i have a PHP site

my site is 90% visual content(text,img) there's only a php registration script to a mysql db

i want to know a website can be hacked throught the visual content
i also want to know if putting direct link downloads is secure exemple here www.neoxco.com/download.php

if you want to take a look at my site www.neoxco.com

thank you for reading
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: Is my site secure?

Post by mecha_godzilla »

Hi,

The weak points in your site will be the registration page and the forums, but the downloadable application could be used to attack your database - it depends on whether the account information is held in the same database or mirrored to a different one. It would be possible for someone to disassemble your application and/or packet-sniff connections being made from the application to your server to learn what it's doing, so that might be worth looking at. However, assume that most script kiddies are lazy in the first instance and will go for a "quick win".

Here is some information about your server that took me 10 seconds to find out:

Code: Select all

Server: Apache/2.2.22 (Win32) DAV/2 mod_ssl/2.2.22 OpenSSL/0.9.8t PHP/5.3.16 mod_wsgi/3.3 Python/2.7.2
X-Powered-By: PHP/5.3.16
I could use that information to search for an exploit and/or use an open proxy if I wanted to be more thorough and test for specific vulnerabilities. From my limited experience of these things, hackers seem to consistently target specific applications - in fact, I just tried accessing a common one on your server and got some information about your filesystem layout and the version of that software that you're using.

Anyway, the experts on this forum will be able to advise further :)

HTH,

Mecha Godzilla
SohaibTheGame
Forum Newbie
Posts: 2
Joined: Sun Feb 10, 2013 3:06 pm

Re: Is my site secure?

Post by SohaibTheGame »

so from what your saying
i should improve the register page codes, and remove the .exe downloads. what if u turned them to .rar?

However the Server Status can also be a problem because it has MySql access too

about the forum, what can i do?

and to sum up, are you saying that is impossible to hack a pure visual content site? where there are no access to anyting.no db, no files, only imgs.

Thank you, btw, hey dont hack, i came here to avoid that lol
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Is my site secure?

Post by social_experiment »

users register on your site so password security is a place to start. don't store plain-text passwords, force minimum length and different characters when a user signs up for an account.

Take a look at .htaccess for your site;
http://www.javascriptkit.com/howto/htaccess.shtml
mecha_godzilla wrote:hackers seem to consistently target specific applications
^ good point so make sure that you keep the software you are using up to date and check for any security issues there might be surrounding the specific application.

The weaker parts (imo) of the forum will be where a user can enter data (make posts, comments) and the query strings (data passed in the URL). Double check all data received from the query string and escape all input (mysqli_real_escape_string() or mysql_real_escape_string()) depending on your code.
SohaibTheGame wrote:and to sum up, are you saying that is impossible to hack a pure visual content site? where there are no access to anyting.no db, no files, only imgs.
try to avoid thinking in terms of 'impossible' when talking about hacking; remember that your application might not be weak spot in the security chain, it could be a exploit used on the server that houses your code, something that isn't in your control. A pure visual content site might limit the amount of attackers drawn to it but sometimes attackers will test your site just to see if it can be broken, regardless of content.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: Is my site secure?

Post by mecha_godzilla »

Hi again,

Just to add to what social_experiment has said (all good advice, btw) the problem is *not necessarily* the site itself, but the way that you've set the server up. Sorry if you thought that I might be hacking your server, but all this information is freely available :) The information I got told me what software stack you are using and the file path to it on your server - these are things that are easy to hide with a correctly configured php.ini file. The information about Apache/PHP versions is also easy to hide with a correctly configured httpd.conf file.I was also able to access the set-up page for one of the web applications installed on your server - I knew about this one because I have the same version of that particular application and (by default) it's not properly secured. If you need any advice in this respect please feel free to PM me and I'd be happy to offer some suggestions.

There's no reason why offering an ".exe" file for download is inherently more secure or insecure than offering (say) a ".rar" file, and the best way to make sure your forum software is secure is by regularly updating it. You still see a lot of sites out there running very, very old versions of WordPress, osCommerce or Joomla and these are all viable targets for entry-level hackers - there are lots of hacking forums out there where these kind of exploits can be found and it doesn't exactly take long to Gxxgle(tm) "joomla 1.5 exploit" or whatever it is that they're looking for.

HTH,

M_G
Post Reply