coolshrimp Posted December 1, 2015 Share Posted December 1, 2015 hey so my site was recently hacked. they did not login to hack the site, somehow they where able to inject there files and edit pages.so im guessing they may have been able to gain access using an email form or something. or simply a hole in (VBulletin, Magento)What i want to do id be sure my custom coded user submitting forms are secure to prevent future injections.so say this is my code below is there an security issues?should i be sanitizing the $Post data somehow and if so whats the best way?im thinking maybe they could inject code like adding in a quoted command (' <? PHP code here ?>') in one of the form fields and it may run? am i correct? <?php $to = "myemail@host.com"; $name = $_REQUEST['name']; $subject = "Contact Form - " . $_REQUEST['subject']; $from = $_REQUEST['email']; $headers = "From:" . $name . " <" . $from . ">" . "\r\n" . "Reply-To:" . $from . "\r\n" . "Content-Type: text/html; charset=ISO-8859-1\r\n"; $email = $from; $company = $_REQUEST['company']; $msgsubject = $_REQUEST['subject']; $comment = $_REQUEST['comment']; $date = date('Y-m-d'); $message = <<<EOF Name: $name Company: $company Subject: $msgsubject Comment: $comment Date: $date EOF; if(isset($_POST['url']) && $_POST['url'] == ''){ if (mail($to,$subject,$message,$headers)) { header("Location: ../pages/Contact_Success.html"); } else { header("Location: ../pages/Contact_Fail.html"); } } ?> Link to comment Share on other sites More sharing options...
dsonesuk Posted December 1, 2015 Share Posted December 1, 2015 Any values posted by user MUST be validated and sanitized, to do this see http://www.w3schools.com/php/php_filter.asp for validating/sanitizing email, string, int values. Link to comment Share on other sites More sharing options...
Ingolme Posted December 2, 2015 Share Posted December 2, 2015 I don't see anything in that particular block of code that would allow them to upload files to your server. What they could do with it is use your server to send unsolicited e-mails to anybody they like. Link to comment Share on other sites More sharing options...
coolshrimp Posted December 2, 2015 Author Share Posted December 2, 2015 i have few diffrent php forms ill post another one in a min to have checkedusing code above could they put something like this an the Name field, would it run? is this how they get in? pasting in there own upload script? name']; echo 'hi'; exit; $test = $_REQUEST['name would this echo out hi and then not run rest of php script? Link to comment Share on other sites More sharing options...
coolshrimp Posted December 2, 2015 Author Share Posted December 2, 2015 <?php // Google API library include path set_include_path(get_include_path() . PATH_SEPARATOR . "$_SERVER[DOCUMENT_ROOT]" . "/Scripts/"); // Google Helper Script require_once($_SERVER['DOCUMENT_ROOT'] . "/Scripts/Google_Spreadsheet.php"); //*************************** Google Spreadsheet to use ******************************// //SpreadsheetSheet and Workbook To Use $ss = new Google_Spreadsheet('Registration', 'Registered'); //*************************** Get Fields From $_Post Into Array To send to Google doc ******************************// $_POST['Date'] = date('Y-m-d'); $_POST['Time'] = date("g:i A.", time()); $row = $_POST; //SHOW ARRAY /*print_r($row); */ //***************************Set $_Post Fields To Variables ******************************// foreach ($_POST as $key => $value) { $$key = $value; } //************************** Generate Form Backup Email ************************// $to = "email@domain.com"; $name = "Web Form"; $subject = "Registration"; $from = "email@domain.com"; $headers = 'MIME-Version: 1.0' . "\r\n" . 'Content-type: text/html; charset=iso-8859-1' . "\r\n" . "From:" . $name . " <" . $from . ">" . "\r\n" . "Reply-To:" . $from . "\r\n"; //Create Email $message = <<<EOF <html> <head> <meta content="text/html; charset=iso-8859-1" http-equiv="Content-Type" /> </head> <table cellspacing="4" cellpadding="4" border="1" align="center"><tr> EOF; foreach ($_POST as $key => $value) { $message .= "<td align=\"center\">" . $key . "</td>"; } $message .= <<<EOF </tr><tr> EOF; foreach ($_POST as $key => $value) { $message .= "<td align=\"center\">" . strip_tags($value) . "</td>"; } $message .= <<<EOF </tr></table> </body></html> EOF; //Echo Email Message /*echo $message;*/ //************************** Process ************************// if(isset($_POST['url']) && $_POST['url'] == ''){ if ($ss->insertRow($row)) { mail($to,$subject,$message,$headers); header("Location: Confirmation.htm"); exit(); } else { header("Location: Fail.htm"); exit(); } } else { echo "Error, Robot Detected!!"; } ?> Link to comment Share on other sites More sharing options...
Ingolme Posted December 2, 2015 Share Posted December 2, 2015 The first security problem I mentioned before which would allow them to use your server to send e-mails anywhere is where you're putting user data straight into the mail headers. i have few diffrent php forms ill post another one in a min to have checkedusing code above could they put something like this an the Name field, would it run? is this how they get in? pasting in there own upload script? name']; echo 'hi'; exit; $test = $_REQUEST['name would this echo out hi and then not run rest of php script? No, it wouldn't. Nothing is attempting to execute that as PHP, it's just a string. //***************************Set $_Post Fields To Variables ******************************// foreach ($_POST as $key => $value) { $$key = $value; } This is another security threat. This allows anybody to overwrite any existing variables in your system. In the block of code you've displayed, though, I can't see any specific way it could be used to execute PHP or upload files to your server but if you have more code structures like that in other parts of your server that is a potential attack vector. Link to comment Share on other sites More sharing options...
coolshrimp Posted December 2, 2015 Author Share Posted December 2, 2015 thanks seems it was my magneto and VBulletin that they where able to get into. both seem to have a way in. VBulletin could have been this: http://www.cyberkendra.com/2014/07/vbulletin-fixed-critical-sql-injection.htmlMagento seems this was same person that hacked my site is talked about here "https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html" they created a few accounts for themselves: http://puu.sh/lGajf/5725d61f14.png Link to comment Share on other sites More sharing options...
coolshrimp Posted December 2, 2015 Author Share Posted December 2, 2015 For future is security.I have each of my sites in its own folder.is it possible to make it so hacker cannot access files in other directory?so say my forum in "Forum" folder is hacked they only can screw up forum and none of my other site folders? Link to comment Share on other sites More sharing options...
coolshrimp Posted December 2, 2015 Author Share Posted December 2, 2015 i get what you mean good point. //***************************Set $_Post Fields To Variables ******************************// foreach ($_POST as $key => $value) { $$key = $value; } This is another security threat. This allows anybody to overwrite any existing variables in your system. In the block of code you've displayed, though, I can't see any specific way it could be used to execute PHP or upload files to your server but if you have more code structures like that in other parts of your server that is a potential attack vector. Link to comment Share on other sites More sharing options...
Ingolme Posted December 2, 2015 Share Posted December 2, 2015 You should always keep your content management systems up to date and keep listening for news about fixes and security updates for them. Link to comment Share on other sites More sharing options...
justsomeguy Posted December 2, 2015 Share Posted December 2, 2015 so say my forum in "Forum" folder is hacked they only can screw up forum and none of my other site folders?You can use .htaccess to set open_basedir for each directory: http://php.net/manual/en/ini.core.php#ini.open-basedir Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now