Recently Hacked. Questions.

[coolshrimp]

hey so my site was recently hacked. they did not login to hack the site, somehow they where able to inject there files and edit pages.

so im guessing they may have been able to gain access using an email form or something. or simply a hole in (VBulletin, Magento)
What i want to do id be sure my custom coded user submitting forms are secure to prevent future injections.

so say this is my code below is there an security issues?
should i be sanitizing the $Post data somehow and if so whats the best way?
im thinking maybe they could inject code like adding in a quoted command (' <? PHP code here ?>') in one of the form fields and it may run? am i correct?

<?php
 $to = "myemail@host.com";
 $name = $_REQUEST['name'];
 $subject = "Contact Form - " . $_REQUEST['subject'];
 $from = $_REQUEST['email'];
 $headers = "From:" . $name . " <" . $from . ">" . "\r\n" . "Reply-To:" . $from . "\r\n" . "Content-Type: text/html; charset=ISO-8859-1\r\n"; 
 $email = $from;
 $company = $_REQUEST['company'];
 $msgsubject = $_REQUEST['subject'];
 $comment = $_REQUEST['comment'];
 $date = date('Y-m-d');
 
$message = <<<EOF

Name: $name
Company: $company
Subject: $msgsubject
Comment: $comment
Date: $date
EOF;

if(isset($_POST['url']) && $_POST['url'] == ''){


if (mail($to,$subject,$message,$headers)) {
   header("Location: ../pages/Contact_Success.html");
  } else {
   header("Location: ../pages/Contact_Fail.html");
  }
}
?>

 

 

 

 

 

 

 

 

[dsonesuk]

Any values posted by user MUST be validated and sanitized, to do this see http://www.w3schools.com/php/php_filter.asp for validating/sanitizing email, string, int values.

[Ingolme]

I don't see anything in that particular block of code that would allow them to upload files to your server. What they could do with it is use your server to send unsolicited e-mails to anybody they like.

[coolshrimp]

i have few diffrent php forms ill post another one in a min to have checked

using code above could they put something like this an the Name field, would it run? is this how they get in? pasting in there own upload script?

name']; echo 'hi'; exit; $test = $_REQUEST['name

would this echo out hi and then not run rest of php script?

[coolshrimp]

<?php

 

// Google API library include path

set_include_path(get_include_path() . PATH_SEPARATOR . "$_SERVER[DOCUMENT_ROOT]" . "/Scripts/");

 

// Google Helper Script

require_once($_SERVER['DOCUMENT_ROOT'] . "/Scripts/Google_Spreadsheet.php");

 

//*************************** Google Spreadsheet to use ******************************//

//SpreadsheetSheet and Workbook To Use

$ss = new Google_Spreadsheet('Registration', 'Registered');

 

//*************************** Get Fields From $_Post Into Array To send to Google doc ******************************//

$_POST['Date'] = date('Y-m-d');

$_POST['Time'] = date("g:i A.", time());

$row = $_POST;

 

//SHOW ARRAY

/*print_r($row); */

 

//***************************Set $_Post Fields To Variables ******************************//

 

foreach ($_POST as $key => $value) {

$$key = $value;

}

 

//************************** Generate Form Backup Email ************************//

 

$to = "email@domain.com";

$name = "Web Form";

$subject = "Registration";

$from = "email@domain.com";

$headers = 'MIME-Version: 1.0' . "\r\n" . 'Content-type: text/html; charset=iso-8859-1' . "\r\n" . "From:" . $name . " <" . $from . ">" . "\r\n" . "Reply-To:" . $from . "\r\n";

 

//Create Email

$message = <<<EOF

<html>

<head>

<meta content="text/html; charset=iso-8859-1" http-equiv="Content-Type" />

</head>

<table cellspacing="4" cellpadding="4" border="1" align="center"><tr>

EOF;

 

foreach ($_POST as $key => $value) {

$message .= "<td align=\"center\">" . $key . "</td>";

}

 

$message .= <<<EOF

</tr><tr>

EOF;

 

foreach ($_POST as $key => $value) {

$message .= "<td align=\"center\">" . strip_tags($value) . "</td>";

}

 

$message .= <<<EOF

</tr></table>

</body></html>

EOF;

 

//Echo Email Message

/*echo $message;*/

 

 

//************************** Process ************************//

 

if(isset($_POST['url']) && $_POST['url'] == ''){

 

if ($ss->insertRow($row)) {

mail($to,$subject,$message,$headers);

 

header("Location: Confirmation.htm");

exit();

}

else

{

header("Location: Fail.htm");

exit();

}

 

}

else

{

echo "Error, Robot Detected!!";

 

}

 

 

?>

 

[Ingolme]

The first security problem I mentioned before which would allow them to use your server to send e-mails anywhere is where you're putting user data straight into the mail headers.

 

i have few diffrent php forms ill post another one in a min to have checked

using code above could they put something like this an the Name field, would it run? is this how they get in? pasting in there own upload script?

name']; echo 'hi'; exit; $test = $_REQUEST['name

would this echo out hi and then not run rest of php script?

 

No, it wouldn't. Nothing is attempting to execute that as PHP, it's just a string.

//***************************Set $_Post Fields To Variables ******************************// 

foreach ($_POST as $key => $value) {
  $$key = $value;
}

This is another security threat. This allows anybody to overwrite any existing variables in your system. In the block of code you've displayed, though, I can't see any specific way it could be used to execute PHP or upload files to your server but if you have more code structures like that in other parts of your server that is a potential attack vector.

[coolshrimp]

thanks seems it was my magneto and VBulletin that they where able to get into. both seem to have a way in.

 

VBulletin could have been this: http://www.cyberkendra.com/2014/07/vbulletin-fixed-critical-sql-injection.html
Magento seems this was same person that hacked my site is talked about here "https://blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html"

they created a few accounts for themselves: http://puu.sh/lGajf/5725d61f14.png

[coolshrimp]

For future is security.

I have each of my sites in its own folder.
is it possible to make it so hacker cannot access files in other directory?
so say my forum in "Forum" folder is hacked they only can screw up forum and none of my other site folders?

[coolshrimp]

i get what you mean good point.

 

//***************************Set $_Post Fields To Variables ******************************// 

foreach ($_POST as $key => $value) {
  $$key = $value;
}

This is another security threat. This allows anybody to overwrite any existing variables in your system. In the block of code you've displayed, though, I can't see any specific way it could be used to execute PHP or upload files to your server but if you have more code structures like that in other parts of your server that is a potential attack vector.

[Ingolme]

You should always keep your content management systems up to date and keep listening for news about fixes and security updates for them.

[justsomeguy]

so say my forum in "Forum" folder is hacked they only can screw up forum and none of my other site folders?

You can use .htaccess to set open_basedir for each directory:

 

http://php.net/manual/en/ini.core.php#ini.open-basedir