Archive for the ‘PHP’ Tag

hardening wordpress

I had positive feedback after posting my article about hardening Joomla!, so I will now focus on the blog-software wordpress.
Here are a couple of tips that you can use to make your wordpress a bit securer.

Change the default name of your administrator login (admin) and choose a strong password for all your accounts. It’s also a good idea to use different login- and author-names, wordpress has also a great user levels.
Continue reading

Spam protection with Akismet

Akismet, or Automattic Kismet, is a text spam filtering service created by Automattic, the corporation which employs most of the main developers of WordPress.

When a new comment is posted on your site, Akismet webs service catches the comment and tests whether a comment is valued as “spam” or “not spam”. Continue reading

Automated testing with Selenium IDE

Automated testing is an extremely useful bug-killing tool for the modern Web developer and a lot of vulnerability in fact are based on bugs.
With Selenium IDE, a free Firefox extension, you can easily record your clicks and inputs in the browser, set tests and replay the records. If a test failed you get a feedback.

I’ll show you an example, to make the power of Selenium clearer.
Continue reading

System call injection

With the follow commands you can execute an external program on the system (server).

  • shell_exec
  • proc_open
  • system
  • exec
  • passthru
  • popen
  • “ (back tick operator)

This form sends a domain name and prints the result back from the linux program whois.

Continue reading

Pixy: XSS and SQLI Scanner for PHP Programs

Pixy is a free Java program that performs automatic scans of PHP 4 source code, aimed at the detection of Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities. Pixy takes a PHP program as input, and creates a report that lists possible vulnerable points in the program, together with additional information for understanding the vulnerability.

There is also a easy to use webinterface where you can upload your files or paste the code to analyse it.

http://pixybox.seclab.tuwien.ac.at/pixy/webinterface.php

What does a phpshell look like?

After my last posting “(evil) Register Globals (on)“, I got an email asking what remote files look like and what they do. I call remote files “phpshells”. phpshells can send commands directly to the server system over http.

An easy version could be using a GET variable for a system call. Indeed, it’s enough to steal information, destroy pages and do other nasty stuff on a web server.

<?php
    system($_GET[‘cmd’]);
?>

The r57shell is the deluxe version of a phpshell. I added some pictures below. It’s an interface and has functions like ftp, mail and many more.

Continue reading

(evil) Register Globals (on)

The register_globals directive is enabled (register_globals = On) by default in PHP versions 4.2.0 and greater in the php config (php.ini). While it doesn’t represent a security vulnerability, it’s a security risk.

Why is it a security risk? Let’s look at this example:

Continue reading

Is this application written in php or not?

Some sites use mod-rewrite or change .php extensions to .html extensions with .htaccess to hide the information that the application is written with php.

But it’s really easy to find out if it’s written with php, because there is an Easter egg in php. If you send a special string to any php site, the browser generates a php logo or a dog as image.

Continue reading

Keep sensitive data out of your web tree

A web server’s document structure resembles this:

/htdocs
    /include
        config.inc
    index.php

If you store sensitive data like configuration files, everyone can point
the browser to http://example.com/include/config.inc and read it.

Continue reading

Cheating with obfuscation

Sometimes I find strange lines in my webservers log, like this one:

“GET site.php?id=%3C%73%63%72%69%70%74
%3E%61%6C%65%72%74%28%32%33%29%3B%3C
%2F%73%63%72%69%70%74%3E HTTP/1.1”

Whats that? No it’s not the matrix it looks like someone tried to obfuscate something with Hex.
Let’s write 2 lines using urldecode() to check this string.

Continue reading