...

 
Post new topic   Reply to topic    Aprelium Forum Index -> Powered by Abyss
View previous topic :: View next topic  
Author Message
Kent
-


Joined: 12 Jan 2003
Posts: 137

PostPosted: Wed Apr 11, 2007 9:57 pm    Post subject: ... Reply with quote

...

mmk, first script using these methods... thanks.


Last edited by Kent on Wed Apr 11, 2007 11:59 pm; edited 1 time in total
Back to top View user's profile Send private message
cmxflash
-


Joined: 11 Dec 2004
Posts: 872

PostPosted: Wed Apr 11, 2007 11:03 pm    Post subject: Reply with quote

You really need to fix the security in your scripts. Took me less than two minutes before I was able to execute PHP code on your server.

Here are just some of your security problems:

* ikilledit.php allows anybody to remove any file, anywhere on the server
* swank.php allows upload of PHP files (uploaded one here)
* getthumb.php allows anybody to read any image on the system
* profilerz.php allows any user account to be edited by anybody - Use sessions!
* The blog doesn't escape HTML/Javascript, could be used to steal session cookies or other sensetive information

Etc, etc and etc. I would probably rewrite it from scratch. Never trust what the client sends! Otherwise, the design is clean and nice.

Edit:
I killed Abyss so no skiddie will be able to screw with your server after reading this message.
Back to top View user's profile Send private message
Kent
-


Joined: 12 Jan 2003
Posts: 137

PostPosted: Thu Apr 12, 2007 10:50 pm    Post subject: Reply with quote

for the ikilledit.php I added
$photo = mysql_real_escape_string($_GET['photo']);
to secure it ~
for the blog I added things like
$blogbody = str_replace("<","we dont allow",$blogbody);
$blogbody = str_replace(">"," html tags",$blogbody);


etc...

I am working towards securing the files you indicated were flawed..
can you PM and tell me what files you were able to take advantage of and how you did it exactly so I may learn better on how to secure my scripts?
Back to top View user's profile Send private message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA

PostPosted: Fri Apr 13, 2007 1:08 am    Post subject: Reply with quote

Hello Kent,

My guess is that CmX used the exec() command to shut down Abyss Web Server from a PHP script he uploaded. Simply, check the file type before allowing the upload. Modify your upload script, so that it denies files it does not understand. I recommend creating an array of file extensions and only allow those file extensions.
Back to top View user's profile Send private message Visit poster's website
Kent
-


Joined: 12 Jan 2003
Posts: 137

PostPosted: Fri Apr 13, 2007 1:58 am    Post subject: Reply with quote

yes he used the following script once he uploaded it :) lol

<?php
exec("taskkill /f /im abyssws.exe");
?>

Ive been reading up on my security flaws, but am not aware of the other flaws he may have found..
Back to top View user's profile Send private message
AbyssUnderground
-


Joined: 31 Dec 2004
Posts: 3855

PostPosted: Fri Apr 13, 2007 2:47 am    Post subject: Reply with quote

cmx is very good. He has helped me secure my home made scripts many times and so far Ive never been hacked a single time. If there was anyone Id trust the securing of my script with it would be cmx.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk
Back to top View user's profile Send private message Visit poster's website
Kent
-


Joined: 12 Jan 2003
Posts: 137

PostPosted: Fri Apr 13, 2007 3:12 am    Post subject: Reply with quote

he told me he doesnt have the time to help me out but has pointed me to some stuff I should read up on such as PHP Sessions and
htmlentities() function... I dont fully understand it all yet.. and will probly need help with my project from someone eventually.. my plan is to make it open source, but before I put it out there I wanna have security in it.. if you know any developers that wanna jump on board and have time let me know..
basicly the script lets users sign up for an account,
they can upload photos or video and other users can comment on the uploads.. and there are user blogs as well.. and I also want to implement user inbox mail type stuff too.
Back to top View user's profile Send private message
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA

PostPosted: Fri Apr 13, 2007 3:21 am    Post subject: Reply with quote

Hey Kent! Check your private messages folder for a simple code fix. I sent you some modified code which uses a Regex to match a number of file extensions.
Back to top View user's profile Send private message Visit poster's website
Kent
-


Joined: 12 Jan 2003
Posts: 137

PostPosted: Fri Apr 13, 2007 3:41 am    Post subject: Thanx Reply with quote

Thanks TRUSTAbyss You have helped me gain an extra bit of code knowledge - I am hungry to learn..
Back to top View user's profile Send private message
cmxflash
-


Joined: 11 Dec 2004
Posts: 872

PostPosted: Fri Apr 13, 2007 12:20 pm    Post subject: Reply with quote

The problem is that his scripts does not check if a speicific user has permission to do something (example: Anybody is able to edit any profile, the only thing preventing it is a hidden value in his edit form).

I only did a brief secuity check and the problems I found was posted in my first post. However, I'm sure I can find more problems if I just spend some more time at it. But since I bought World of Warcraft, I really don't have that time.

By the way, when handling files in PHP, you should never open/remove/change a file which came from the user in a GET or POST variable unless you can be 100% sure it's the correct file. As far as I know, this guy used something like unlink($_GET['image']). I told him in my PM that he should use a uniqe ID for each image stored in a database, and then use something like remove.php?id=34 when removing an image.

In my photoalbum, I use the scandir() function to make sure the thumbnail URL cannot be changed.
Back to top View user's profile Send private message
Kent
-


Joined: 12 Jan 2003
Posts: 137

PostPosted: Fri Apr 13, 2007 7:27 pm    Post subject: ? Reply with quote

I dont use unlink($_GET['image']) on any of the files that make up the scripts deleting functions for users nor the admin area
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> Powered by Abyss All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group