Archive for the ‘PHP’ Category
How to secure Joomla!
I’m not a big fan of Joomla! but a client wanted to use it and so I had a closer look on it, to make it a bit securer.
For the moment I work with the 1.0.14 version and read that the Joomla1.5 work with safe mode on and has some nice security features.
Here are some tips which you can also use if you aren’t a Joomla head.
hardening wordpress
I had positive feedback after posting my article about hardening Joomla!, so I will now focus on the blog-software wordpress.
Here are a couple of tips that you can use to make your wordpress a bit securer.
Change the default name of your administrator login (admin) and choose a strong password for all your accounts. It’s also a good idea to use different login- and author-names, wordpress has also a great user levels.
Continue reading
System call injection
With the follow commands you can execute an external program on the system (server).
- shell_exec
- proc_open
- system
- exec
- passthru
- popen
- “ (back tick operator)
This form sends a domain name and prints the result back from the linux program whois.
Pixy: XSS and SQLI Scanner for PHP Programs
Pixy is a free Java program that performs automatic scans of PHP 4 source code, aimed at the detection of Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.
There is also a easy to use webinterface where you can upload your files or paste the code to analyse it.
What does a phpshell look like?
After my last posting “(evil) Register Globals (on)“, I got an email asking what remote files look like and what they do. I call remote files “phpshells”. phpshells can send commands directly to the server system over http.
An easy version could be using a GET variable for a system call. Indeed, it’s enough to steal information, destroy pages and do other nasty stuff on a web server.
system($_GET[‘cmd’]);
?>
The r57shell is the deluxe version of a phpshell. I added some pictures below. It’s an interface and has functions like ftp, mail and many more.
Is this application written in php or not?
Some sites use mod-rewrite or change .php extensions to .html extensions with .htaccess to hide the information that the application is written with php.
But it’s really easy to find out if it’s written with php, because there is an Easter egg in php. If you send a special string to any php site, the browser generates a php logo or a dog as image.
Keep sensitive data out of your web tree
A web server’s document structure resembles this:
/htdocs
/include
config.inc
index.php
If you store sensitive data like configuration files, everyone can point
the browser to http://example.com/include/config.inc and read it.
Cheating with obfuscation
Sometimes I find strange lines in my webservers log, like this one:
“GET site.php?id=%3C%73%63%72%69%70%74
%3E%61%6C%65%72%74%28%32%33%29%3B%3C
%2F%73%63%72%69%70%74%3E HTTP/1.1”
Whats that? No it’s not the matrix it looks like someone tried to obfuscate something with Hex.
Let’s write 2 lines using urldecode() to check this string.
The danger of PHP_SELF
The $_SERVER[‘PHP_SELF’] or old syntax $PHP_SELF superglobal gives you the filename of the currently executing script, relative to the document root.
Often used in forms or in links.
Here you see a normal login form with the form container above.