How to secure lavalair ALL versions

Every data stored, displayed, added, deleted, updated etc. should be really sanitized to protect u from hacking. and u should also know how to exploit ur work/site to prevent hacking.

1. 100% protection of a site is impossible, if you realise this and accept it then your more secure already as you'll learn to to take backups and hopefully read up on security tuts. Simple reason being is that its a lot harder to foresee a problem than it is to protect against it before you even know what it is.

2. Hotlinking images is fine, just sanitise the data, main thing being htmlspecialchars the url, youd be surprised how easy it is too session hijack using the avatar field due to people not doing that. You can also check the file extension and even check its a valid image. heres a fairly basic but usually sufficient bbcode for img tags (note that in my bbcode parser i htmlspecialchar the text before parsing bbcode so you either need to add HSC to this bbcode replace you add HSC to the top of your bbcode parser)

3. as with hotlinking hosting an uploader is fine as long as you do your checks. Nearly every single one of the biggest websites have an upload ability, so uploaders clearly arent insecure, you just need to protect them against malicious use. Theres a load of things you can do for that. Two PHP directives for a start you shud edit/check are disable functions (make sure you disable exec and system) and open base dir (set it so that files outside of the http dir cant be served).

Then employ a whitelisting rather than blacklisting where you whitelist the file type you will allow. You could also make a blacklist for words you will not allow such as php and .sh. Its not a big deal to users to have rename a file if it contains them, although thats a thing i wouldnt use its always a thought if you dont mind reducing usability a tad.

Then you have the ability to upload files to a directory only YOU can access. Of course not all hosts allow this (and possibly you'd need a dedi server to do this) but you could create a directory to move files too for verification (obviously http will need write permissions so you could setup a cronjob to move the files to a waiting area). That way you can verify files manually, for most of you while it would be a little inconvenient at times, i doubt your gonna get so much traffic that its gonna get overwhelming.

Obviously chmod the upload ed fies so there not executable is also another big thing, while interpreted scripts like php dont require execution to run as they are read, shell scripts and such do require execution perms so that takes care of them.

Also file renaming is a good thing, double barrelled extensions like .php.gif can be renamed. This can be further secured by using reference implementation so the client never actually knows the name of the file they uploaded now its on yoru server, you can use a mysql database or a flat file simple referencing database to store the references to the files and even update the reference name each time its requested.

This is in no way shape or form a complete security post, security needs to be tackled from many angles (coding, configuration and user practices just to name a few) and id strongly suggest whenever your coding a section of a site whether it be an uploader, authentication system, chatbox or anything else to do a simple google search for it contain the "secure" keyword and see how others have gone about implementing it as secure as they can, chances are there will be something something you havent covered or at least haven't covered as well.

@djlee you should write books

but this is still not secure,
you can bypass the reg exp check using mod rewrite, i would suggest to create additional file which would check for image mime type.

like this:
and here is the bbcode:

WOW gums helped out with lava hehe tanx m8

yup your write gum, but it was just an example, it all depends on where you use it tbh. if your hotlinking then mime type isnt such a big deal as the clients browser will try to load an img file, i dont think it would execute a js file embedded in an img tag, so as long as you HSC so they cant break out of the img tag (which is possible on most wap sites ive visited... check your avatar display everyone lol) then you should be fine.

Obviously during uploading images mime type checks would be one of the things you'd do (or at least i hope so).

in fact you just made me check that js cant be put as an img src lol, IMG SRC tags and JavaScript - Stack Overflow ... obviously it requires the browser to do the correct validation and operate properly but i doubt theres gonna be many or any browsers that would be susceptable to that.

in fact id imagine the way the browser outputs an image doing its internal business it wouldnt inherently try to execute any code. Sort of imagine trying to put js code into a gd library generating image. Since (for all intents and purposes) its in "image mode" its technically impossible for it to execute malicious code as it doesnt recognise the code or the language its written in. Bit hard to explain, im crap at explaining technical stuff lol, you either understand or you dont i guess :P

use this to protect ur site from shell uploads

i think if u just rename the file to .php3 or to some other extension using file binder, its still executable? Is htmlspecialchars really enough? Will this work? image.php?src=javascript:alert(document.cookie);

yeah heheh but we can add up php3 in htacces nothing is impossible

a virus with a .exe extension can be changed to .mp3 using a file binder. My advice is not just block the extensions but it might be better if force download will be used in .htaccess :-)

i make all uploaded files come up as a 404 even if there in there and my script can still force a download or preview (images)

force download is a nice idea.

i think no site is 100% secure

make the session like this:
$ip=base64_encode($_SERVER["REMOTE_ADDR"]);
$brw=base64_encode($_SERVER[USER_AGENT]);
$time=time();
$sid=md5($ip.$brw.time( ));
make in table 'lava_ses' a new field 'login_time' and insert the time( ).
//////////the function islogin will be
etc etc etc
$ip=base64_encode($_SERVER["REMOTE_ADDR"]);
$brw=base64_encode($_SERVER[USER_AGENT]);
$time_login=$row[login_time];
$sid2=md5($ip.$brw.$time_login);
if $sid=$sid2

login

else

not login or this is not your session


/////////////// I HOPE YOU UNDERSTAND

^ Thats stupid

plz any one make this script php v5/6

function check_injection()
{
$badchars = array("DROP","TRUNCATE", "SELECT", "UPDATE", "DELETE" , "UNION", "WHERE", "FROM","INSERT","ORDER BY");

foreach($_REQUEST as $value)
{
if(in_array(strtoupper($value), $badchars))
{
$logfile= 'logs/log.txt'; //chmod 777
$IP = $_SERVER['REMOTE_ADDR'];
$logdetails= date("F j, Y, g:i a") . ': ' . '<a href=http://dnsstuff.com/tools/city.ch?ip='.$_SERVER['REMOTE_ADDR'].' target=_blank>'.$_SERVER['REMOTE_ADDR'].'</a>';
$fp = fopen($logfile, "r+");
fwrite($fp, $logdetails, strlen($logdetails));
fclose($fp);

header('Location:http://google.com');

}
else
{
$check = preg_split("//", $value, -1, PREG_SPLIT_OFFSET_CAPTURE);
foreach($check as $char)
{
if(in_array(strtoupper($char), $badchars))
{
$logfile= 'logs/log.txt';
$IP = $_SERVER['REMOTE_ADDR'];
$logdetails= date("F j, Y, g:i a") . ': ' . '<a href=http://dnsstuff.com/tools/city.ch?ip='.$_SERVER['REMOTE_ADDR'].' target=_blank>'.$_SERVER['REMOTE_ADDR'].'</a>';
$fp = fopen($logfile, "r+");
fwrite($fp, $logdetails, strlen($logdetails));
fclose($fp);

header('Location:http://google.com');
}}}}
}