Hello frnds. im here seeking a help in protecting sid (session) in lavalair script. I dont use bbcodes for images, i dont use any external links. Also i protected the session by ip and browser check. That means, if somebody copy and paste the sid, they will get SESSION EXPIRED messages. But still peoples are hijacking my sessions and entering in others id. is it because of brute force attack? Please help me to secure my site from session stealing.
-
-
what is the addy?u can pm me.let me check.
if u have uploader in site then see if it only accepts needed extensions. i.e if someone using shell.php.jpg then it should stop them if u use use condition in it and use proper code in htaccess.i think they must using shells in ur site.
PHP Code:AddType image/gif .gif
AddType image/gif .gif
AddType image/jpeg .jpeg .jpg .jpe .JPG
AddType image/png .png .PNG
addtype audio/x-mpegurl m3u
addtype audio/mpegurl m3u
addtype text/vnd.wap.wml wml
addtype application/vnd.wap.wmlc wmlc
addtype text/vnd.wap.wmlscript wmls
addtype application/vnd.wap.wmlscriptc wmlsc
addtype image/vnd.wap.wbmp wbmp
addType application/java-archive jar
addType application/x-java-archive jar
addType text/vnd.sun.j2me.app-descriptor;charset=UTF-8 jad
addType application/vnd.symbian.install sis
addType application/vnd.symbian.install sisx
addType audio/3gpp 3gp
addType video/3gpp 3gp
addType audio/x-wav wav
addType audio/amr amr
addType audio/amr-wb awb
addType audio/mpeg mp3
addType audio/x-midi mid
addType audio/midi mid
addType audio/midi midi
addType application/x-smaf mmf
addType application/vnd.smaf mmf
addType application/vnd.mophun.application mpn
addType application/vnd.mophun.application mpc
addType application/vnd.eri.thm thm
addType application/vnd.nok-s40theme nth
Last edited by thunderwap; 13.05.15, 06:16.sigpic
WANT GOOD CHEAP HOSTING WITH 99% UPTIME? THEN PM ME FOR DETAILS!! -
Originally posted by thunderwap View Post
Uploader was also kind of secure.. Hacker was saying, he was doing brute force, so that he came through other users SID (session).Comment
-
Hacker will not tell u true way that how he did entered in ur site.so u should not trust them what they says to u.i m sure he using shell.sigpic
WANT GOOD CHEAP HOSTING WITH 99% UPTIME? THEN PM ME FOR DETAILS!!Comment
-
Not exactly hard to get the persons ip and browser details at same time as the session id
Comment
-
brother... i could not understand this.. could you please tell me clearly? Sorry for my ignoranceOriginally posted by something else View PostNot exactly hard to get the persons ip and browser details at same time as the session idComment
-
The hacker is stealing session, ip and browser from his target. The hacker then uses the targets session and browser and ip to gain access to their account.
Comment
-
Thank you so much for this. but there is no solution for this? i alredy santized all the input datas. but how is it possible bro?Originally posted by something else View PostComment
-
Replace your current ip function with this one:I cant tell you where all the holes are - but it sounds like you may have missed some. Maybe a landing page for clearing session id from urlsPHP Code:function getip()
{
return $_SERVER['REMOTE_ADDR'];
}
Last edited by something else; 15.05.15, 18:18.Comment
-
-
sorry i dont think its called a landing page now >.< i cant think what they are called but its a page that goes between: a page containing an external site link and the external site. This page contains no session id so therefore session id can not be stolen via referrer as it contains the session id.
Comment
-
-
if you dont know how to protect the sid, why dont you remove the sid from every page. or use the script without the sid
Comment
-
u mean by using SESSIONS bro?Originally posted by centi View Postif you dont know how to protect the sid, why dont you remove the sid from every page. or use the script without the sidComment
-
PHP Code:$sid = !empty($_GET['sid']) ? ((bool) preg_match('/^[a-z0-9]{32}$/iD', $_GET['sid']) !== false ? $_GET['sid'] : null) : null;
<!DOCTYPE html PUBLIC "-//WAPFORUM.RSComment
Comment