6 Tips To Secure Your Website

 
Post new topic   Reply to topic    Aprelium Forum Index -> Tutorials
View previous topic :: View next topic  
Author Message
Marty
-


Joined: 10 Sep 2006
Posts: 83

PostPosted: Sat Dec 09, 2006 1:46 pm    Post subject: 6 Tips To Secure Your Website Reply with quote

Most people on the internet are good, honest people. However, there are some people browsing the internet who derive fun from poking around websites and finding security holes. A few simple tips can help you secure your website in the basic ways. Now, obviously, the subject of data security is a complicated one and way beyond the scope of this column. However, I will address the very basics one should do which will alleviate many potential problems that might allow people to see things they shouldn't.

Password Protecting Directories

If you have a directory on your server which should remain private, do not depend on people to not guess the name of the directory. It is better to password protect the folder at the server level. So let's look at how easy it is using Abyss Web Server to password protect a directory.

Firstly if you haven't already, you need to set yourself up as a User/Group. "Group" meaning, if you wish to give access to an outside party, the term name given "Group" is just a name for you to refer to...so...

Open your Abyss Web Server Console, Select which Host/Domain you want to configure and Select "Users and Groups". Select Add to either Users or Groups section.

Enter a User or Group name
Enter a Password
Confirm the Password

Open your Abyss Web Server Console, Select which Host/Domain you want to configure and Select "Access Control" option.

The path access edition dialog contains the following fields:

Virtual Path: The virtual path which contents' access is to be restricted. Use the Browse function to find the disered Folder. (many abyss users use this function to password protect their phpmyadmin directory)

Realm: A short description of the path's contents. It is prompted to users by the browser when it asks them for credentials. Example "My Database".

Order: The order that the server follows to check if access is granted to a user. If it is set to Allow/Deny, access is denied by default and is allowed only if the user is in the Allow for list and is not in the Deny for list. If it is set to Deny/Allow, access is allowed by default and is denied only if the user is in the Deny for list and is not in the Allow for list.
Allow for: The list of users and groups for whom access is allowed.
Deny for: The list of users and groups for whom access is denied.
Note:: If Deny for list is empty and the order is Deny/Allow, access is granted to all declared users and groups.


Turn Off Directory Listings

By default, any directory on your website which does not have a recognized homepage file (index.htm, index.php, default.htm, etc.) is going to instead display a listing of all the files in that folder. You might not want people to see everything you have on there. The simplest way to protect against this is to simply create a blank file, name it index.htm and then upload it to that folder. Your second option is to disable directory listing. In this case, the Abyss Web Server generates error 403 instead of a listing.

Remove Install Files


If you install software and scripts to your website, many times they come with installation and/or upgrade scripts. Leaving these on your server opens up a huge security problem because if somebody else is familiar with that software, they can find and run your install/upgrade scripts and thus reset your entire database, config files, etc. A well written software package will warn you to remove these items before allowing you to use the software. However, make sure this has been done. Just delete the files from your server.

Keep Up with Security Updates

Those who run software packages on their website need to keep in touch with updates and security alerts relating to that software. Not doing so can leave you wide open to hackers. In fact, many times a glaring security hole is discovered and reported and there is a lag before the creator of the software can release a patch for it. Anybody so inclined can find your site running the software and exploit the vulnerability if you do not upgrade. I myself have been burned by this a few times, having whole forums get destroyed and having to restore from backup. It happens.

Reduce Your Error Reporting Level

Speaking mainly for PHP here because that's what I work in, errors and warnings generated by PHP are, by default, printed with full information to your browser. The problem is that these errors usually contain full directory paths to the scripts in question. It gives away too much information. To alleviate this, reduce the error reporting level of PHP. You can do this in two ways. One is to adjust your php.ini file. This is the main configuration for PHP on your server. Look for the error_reporting and display_errors directives. However, you can also reduce the error reporting level using the error_reporting() function of PHP. Include this in a global file of your scripts that way it will work across the board.

Secure Your Forms

Forms open up a wide hole to your server for hackers if you do not properly code them. Since these forms are usually submitted to some script on your server, sometimes with access to your database, a form which does not provide some protection can offer a hacker direct access to all kinds of things. Keep in mind...just because you have an address field and it says "Address" in front of it does not mean you can trust people to enter their address in that field. Imagine your form is not properly coded and the script it submits to is not either. What's to stop a hacker from entering an SQL query or scripting code into that address field? With that in mind, here are a few things to do and look for:

Use MaxLength. Input fields in form can use the maxlength attribute in the HTML to limit the length of input on forms. Use this to keep people from entering WAY too much data. This will stop most people. A hacker can bypass it, so you must protect against information overrun at the script level as well.

Hide Emails If using a form-to-mail script, do not include the email address into the form itself. It defeats the point and spam spiders can still find your email address.

Use Form Validation. I won't get into a lesson on programming here, but any script which a form submits to should validate the input received. Ensure that the fields received are the fields expected. Check that the incoming data is of reasonable and expected length and of the proper format (in the case of emails, phones, zips, etc.).

Avoid SQL Injection. A full lesson on SQL injection can be reserved for another article, however the basics is that form input is allowed to be inserted directly into an SQL query without validation and, thus, giving a hacker the ability to execute SQL queries via your web form. To avoid this, always check the data type of incoming data (numbers, strings, etc.), run adequate form validation per above, and write queries in such a way that a hacker cannot insert anything into the form which would make the query do something other than you intend.

Conclusion

Website security is a rather involved subject and it gets a LOT more technical than this. However, I have given you a basic primer on some of the easier things you can do on your website to alleviate the majority of threats to your website.

Regards
Marty
_________________
www.web-bin.com | www.skydigitalcards.com


Last edited by Marty on Sun Dec 10, 2006 1:43 pm; edited 2 times in total
Back to top View user's profile Send private message
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Sat Dec 09, 2006 2:31 pm    Post subject: Re: 6 Tips To Secure Your Website Reply with quote

Marty,

Thanks for compiling this list of advices and publishing it here.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
Ralph
-


Joined: 17 Sep 2006
Posts: 87

PostPosted: Sat Dec 09, 2006 3:15 pm    Post subject: Reply with quote

Marty,

Thanks for the excellent advice! It has shown me a few things, I had not even thought of. This is a very comprehensive and well written overview of some important things to know about.

I will be sure to use this information to create a more secure server environment...
_________________
My Abyss Websites!
www.qualitynetdesign.com
Back to top View user's profile Send private message Visit poster's website
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA

PostPosted: Sat Dec 09, 2006 6:06 pm    Post subject: Reply with quote

Hi Marty,

You should add to your tutorial that you need to first add Users/Groups before
you can password protect a folder.
Back to top View user's profile Send private message Visit poster's website
Marty
-


Joined: 10 Sep 2006
Posts: 83

PostPosted: Sun Dec 10, 2006 1:47 pm    Post subject: Reply with quote

TRUSTAbyss wrote:
Hi Marty,

You should add to your tutorial that you need to first add Users/Groups before
you can password protect a folder.


opps.. done

Please feel free to edit or rewrite my post if I have left something out, I understand that abyss has all this information already within its server package, but lets face it most wouldn't or dont read these things. Having something like this on a Forum (in your Face so to speak) gets people interested.
_________________
www.web-bin.com | www.skydigitalcards.com
Back to top View user's profile Send private message
cmxflash
-


Joined: 11 Dec 2004
Posts: 872

PostPosted: Sun Dec 10, 2006 7:40 pm    Post subject: Reply with quote

As a programmer myself, here's a few of my security tips.

Image upload
Make sure to check the real extension of the file and not just the MIME-type.
MIME-types can easily be spoofed and trick an image upload script to upload a PHP or ASP page.

Escape HTML
When using forms, always remember to use htmlentities() or a similar function if the submitted data is to be printed out on any HTML page again.

Allowing javascript or HTML to be executed on the client could lead to stolen session IDs, thus allowing anybody to steal your session ID when you're signed in as the administrator.

Download scripts
If you're planning on using a download script which uses the readfile() function in PHP, remember to never use any variable sent by the user inside the readfile function. You could easily go up one or a few directories by adding ../ in the variable.

Here's an example.
Code:
<?php
header("Content-type: Image/PNG");
readfile("img/".$_GET['user_id'].".png");
?>


So how could you hack that code? Easy, you simply has to access "script.php?user_id=../index.php%00". This will give you the full source code of the index page in the parent directory. Using the NULL-byte (%00) allows me to remove the .png extension.

Validate form data
HTML forms are validated on the client side, allowing the restrictions (example: maxlength) to be overridden by the client. You should use strlen() to check on the server side if the text really is within its limits.

Another common problem programmers do not care about is drop down lists. As with maxlength, a drop down list can be modified by the client. I've run across a few big sites which do not validate what I submit using a drop down list. This would, for example, allow me to put HTML or Javascript on my profile page.

Not using die(); when redirecting
Lets say you have an administration page on your server. This would be the code:

Code:
<?php
if (!$_SESSION['admin']) {
header("Location: login.php");
}

if (isset($_GET['make_user_admin']) {
function_for_making_a_user_admin($_GET['make_user_admin']);
}

?>


Sure, if you access the admin page without a valid session, you would get sent to login.php. However, the server would still continue to process your request, even after the redirection. You could also use a telnet client to get the HTML out of the page without beeing redirected. This would allow us to know that you could send the variable make_user_admin via GET, if there was a form on the admin page. If we requested admin.php?make_user_admin=your_username, it would allow you to login to the page as a real administrator.

If we've used die() after the redirection, none of the pages HTML code would get sent to the client, regardless if you used a telnet client or a web browser. You would also be unable to execute function_for_making_a_user_admin().

Escape data in exec(), shell_exec() and similar functions
If you're using a script to execute a command on your computer which includes some text the user has given, make sure to escape that text.

Code:
<?php
echo shell_exec("status.exe -check ".$_GET['user']);
?>


In the above example, we're using status.exe to check for information about the user $_GET['user']. A normal request could look like this: "script.php?check=cmxflash". Lets say we requested this instead: "script.php?check=cmxflash&shutdown -f -s -t 30 -c pwnd by teh skiddie". The server would split the request into two parts, "cmxflash" and "shutdown -f -s -t 30 -c pwnd by teh skiddie". The 2:nd part would shut down your server.


Last edited by cmxflash on Sun Dec 24, 2006 12:01 am; edited 2 times in total
Back to top View user's profile Send private message
pkSML
-


Joined: 29 May 2006
Posts: 952
Location: Michigan, USA

PostPosted: Sun Dec 10, 2006 9:43 pm    Post subject: Validate image upload Reply with quote

cmxflash, thanks for the hacker's side of security. Very informative.

cmxflash wrote:
Image upload
Make sure to check the real extension of the file and not just the MIME-type.
MIME-types can easily be spoofed and trick a image upload script to upload a PHP or ASP page.


An easy way to validate images comes with using getimagesize(). It returns an array of image information.

PHP Manual wrote:
Index 2 is a flag indicating the type of the image:
1 = GIF,
2 = JPG,
3 = PNG,
4 = SWF,
5 = PSD,
6 = BMP,
7 = TIFF(intel byte order),
8 = TIFF(motorola byte order),
9 = JPC,
10 = JP2,
11 = JPX,
12 = JB2,
13 = SWC,
14 = IFF,
15 = WBMP,
16 = XBM.

_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
Back to top View user's profile Send private message Visit poster's website
cmxflash
-


Joined: 11 Dec 2004
Posts: 872

PostPosted: Sun Dec 10, 2006 10:12 pm    Post subject: Re: Validate image upload Reply with quote

pkSML wrote:

An easy way to validate images comes with using getimagesize(). It returns an array of image information.


I could still embed PHP code in the image using a hex-editor, and it would pass the getimagesize() function.
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> Tutorials All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group