Every data stored, displayed, added, deleted, updated etc. should be really sanitized to protect u from hacking. and u should also know how to exploit ur work/site to prevent hacking.
How to secure lavalair ALL versions
Collapse
X
-
1. 100% protection of a site is impossible, if you realise this and accept it then your more secure already as you'll learn to to take backups and hopefully read up on security tuts. Simple reason being is that its a lot harder to foresee a problem than it is to protect against it before you even know what it is.
2. Hotlinking images is fine, just sanitise the data, main thing being htmlspecialchars the url, youd be surprised how easy it is too session hijack using the avatar field due to people not doing that. You can also check the file extension and even check its a valid image. heres a fairly basic but usually sufficient bbcode for img tags (note that in my bbcode parser i htmlspecialchar the text before parsing bbcode so you either need to add HSC to this bbcode replace you add HSC to the top of your bbcode parser)
Code:// [img]http://www/image.gif[/img] $s = preg_replace("/\[img\](http:\/\/[^\s'\"<>]+(\.(jpg|gif|png)))\[\/img\]/i", "<img border=\"0\" src=\"\\1\" alt='' />", $s); // [img=http://www/image.gif] $s = preg_replace("/\[img=(http:\/\/[^\s'\"<>]+(\.(gif|jpg|png)))\]/i", "<img border=\"0\" src=\"\\1\" alt='' />", $s);
Then employ a whitelisting rather than blacklisting where you whitelist the file type you will allow. You could also make a blacklist for words you will not allow such as php and .sh. Its not a big deal to users to have rename a file if it contains them, although thats a thing i wouldnt use its always a thought if you dont mind reducing usability a tad.
Then you have the ability to upload files to a directory only YOU can access. Of course not all hosts allow this (and possibly you'd need a dedi server to do this) but you could create a directory to move files too for verification (obviously http will need write permissions so you could setup a cronjob to move the files to a waiting area). That way you can verify files manually, for most of you while it would be a little inconvenient at times, i doubt your gonna get so much traffic that its gonna get overwhelming.
Obviously chmod the upload ed fies so there not executable is also another big thing, while interpreted scripts like php dont require execution to run as they are read, shell scripts and such do require execution perms so that takes care of them.
Also file renaming is a good thing, double barrelled extensions like .php.gif can be renamed. This can be further secured by using reference implementation so the client never actually knows the name of the file they uploaded now its on yoru server, you can use a mysql database or a flat file simple referencing database to store the references to the files and even update the reference name each time its requested.
This is in no way shape or form a complete security post, security needs to be tackled from many angles (coding, configuration and user practices just to name a few) and id strongly suggest whenever your coding a section of a site whether it be an uploader, authentication system, chatbox or anything else to do a simple google search for it contain the "secure" keyword and see how others have gone about implementing it as secure as they can, chances are there will be something something you havent covered or at least haven't covered as well.
Comment
-
@djlee you should write books
but this is still not secure,
you can bypass the reg exp check using mod rewrite, i would suggest to create additional file which would check for image mime type.
like this:
PHP Code:<?
$image_info = getimagesize($_GET['src']);
if($image_info['mime'] == 'image/gif'||$image_info['mime'] == 'image/jpeg'||$image_info['mime']=='image/png')
{
header ('HTTP/1.1 301 Moved Permanently');
header ('Location: '.$_GET['src']);
}
else
{
header ('HTTP/1.1 301 Moved Permanently');
header ('Location: ./default.png'); /* define here a default image in case the linked image is fake image */
}
?>
PHP Code:$s = preg_replace("/\[img\](http:\/\/[^\s'\"<>]+(\.(jpg|gif|png)))\[\/img\]/i", "<img border=\"0\" src=\"image_check.php?src=\\1\" alt='' />", $s);
$s = preg_replace("/\[img=(http:\/\/[^\s'\"<>]+(\.(gif|jpg|png)))\]/i", "<img border=\"0\" src=\"image_check.php?src=\\1\" alt='' />", $s);
Comment
-
yup your write gum, but it was just an example, it all depends on where you use it tbh. if your hotlinking then mime type isnt such a big deal as the clients browser will try to load an img file, i dont think it would execute a js file embedded in an img tag, so as long as you HSC so they cant break out of the img tag (which is possible on most wap sites ive visited... check your avatar display everyone lol) then you should be fine.
Obviously during uploading images mime type checks would be one of the things you'd do (or at least i hope so).
in fact you just made me check that js cant be put as an img src lol, IMG SRC tags and JavaScript - Stack Overflow ... obviously it requires the browser to do the correct validation and operate properly but i doubt theres gonna be many or any browsers that would be susceptable to that.
in fact id imagine the way the browser outputs an image doing its internal business it wouldnt inherently try to execute any code. Sort of imagine trying to put js code into a gd library generating image. Since (for all intents and purposes) its in "image mode" its technically impossible for it to execute malicious code as it doesnt recognise the code or the language its written in. Bit hard to explain, im crap at explaining technical stuff lol, you either understand or you dont i guess :P
Comment
-
use this to protect ur site from shell uploads
Code:IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* <Limit GET POST> order deny,allow deny from all allow from all </Limit> <Limit PUT DELETE> order deny,allow deny from all </Limit> <Files images> deny from all </Files> <Files *.php> deny from all </Files> <Files *.php.*> deny from all </Files> <Files *.php.php.*> deny from all </Files
Comment
-
Originally posted by riderz View Postuse this to protect ur site from shell uploads
Code:IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti* <Limit GET POST> order deny,allow deny from all allow from all </Limit> <Limit PUT DELETE> order deny,allow deny from all </Limit> <Files images> deny from all </Files> <Files *.php> deny from all </Files> <Files *.php.*> deny from all </Files> <Files *.php.php.*> deny from all </Files
Comment
-
Originally posted by WereWolveZ View Postyeah heheh but we can add up php3 in htacces nothing is impossible
Comment
-
make the session like this:
$ip=base64_encode($_SERVER["REMOTE_ADDR"]);
$brw=base64_encode($_SERVER[USER_AGENT]);
$time=time();
$sid=md5($ip.$brw.time( ));
make in table 'lava_ses' a new field 'login_time' and insert the time( ).
//////////the function islogin will be
etc etc etc
$ip=base64_encode($_SERVER["REMOTE_ADDR"]);
$brw=base64_encode($_SERVER[USER_AGENT]);
$time_login=$row[login_time];
$sid2=md5($ip.$brw.$time_login);
if $sid=$sid2
login
else
not login or this is not your session
/////////////// I HOPE YOU UNDERSTAND
Comment
-
plz any one make this script php v5/6
function check_injection()
{
$badchars = array("DROP","TRUNCATE", "SELECT", "UPDATE", "DELETE" , "UNION", "WHERE", "FROM","INSERT","ORDER BY");
foreach($_REQUEST as $value)
{
if(in_array(strtoupper($value), $badchars))
{
$logfile= 'logs/log.txt'; //chmod 777
$IP = $_SERVER['REMOTE_ADDR'];
$logdetails= date("F j, Y, g:i a") . ': ' . '<a href=http://dnsstuff.com/tools/city.ch?ip='.$_SERVER['REMOTE_ADDR'].' target=_blank>'.$_SERVER['REMOTE_ADDR'].'</a>';
$fp = fopen($logfile, "r+");
fwrite($fp, $logdetails, strlen($logdetails));
fclose($fp);
header('Location:http://google.com');
}
else
{
$check = preg_split("//", $value, -1, PREG_SPLIT_OFFSET_CAPTURE);
foreach($check as $char)
{
if(in_array(strtoupper($char), $badchars))
{
$logfile= 'logs/log.txt';
$IP = $_SERVER['REMOTE_ADDR'];
$logdetails= date("F j, Y, g:i a") . ': ' . '<a href=http://dnsstuff.com/tools/city.ch?ip='.$_SERVER['REMOTE_ADDR'].' target=_blank>'.$_SERVER['REMOTE_ADDR'].'</a>';
$fp = fopen($logfile, "r+");
fwrite($fp, $logdetails, strlen($logdetails));
fclose($fp);
header('Location:http://google.com');
}}}}
}
Comment
Comment