| CI site hacked! did CI's security fail? |
[eluser]Daniel Peraza[/eluser]
Hi CI friends. I am writing this post because I recently developed a CI site, which has been attacked TWICE in just a couple of days. I admit to have almost zero knowledge on security practices. And although changes made by the attacker were minimum, I would like to find the cause of the problem. I found this line between others very similar to it in the server's acccess log: 200.109.242.252 - - [03/Apr/2009:13:23:24 -0700] "GET /app/frontend.php/productos/categoria/\"http://img4.imageshack.us/img4/228/cyb3rkinggamex.jpg\" HTTP/1.1" 200 12274 "http://www.tecnopesca.com.ve/app/frontend.php/productos/categoria/18" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20" Which seems to be a kind of XSS attack. I am not using XSS filtering at all. Could this be the cause of the problem? is it really a kind of XSS attack? PS: I think that a Security category is needed into this forum.
[eluser]CroNiX[/eluser]
How would CI's security be failing if you admit that your not using it? Anything that is coming from a post or the url should be validated/filtered no matter what application you are using.
[eluser]Daniel Peraza[/eluser]
Well you are right man. I just didn't know what title to choose in order to describe my post. Actually, the attacker just touched the files searched by default by the web server. It changed the script that loads my front controller and another script that redirects to it.
[eluser]CroNiX[/eluser]
That sounds like your file/directory permission settings on the server.
[eluser]CroNiX[/eluser]
Also, in that particular controller, when you are getting the category ID are you checking to see if it is the proper datatype? Like in that case you would do something like: $cat_id = (int)$this->uri->segment(x); which would force the value of that segment to be an integer, and you wouldn't have that problem right there. But that should be done for anyplace you are using a value from your url to make your application "do something" especially if it has to do with the database. All input should be escaped and filtered before going into the db.
[eluser]Xeoncross[/eluser]
You need to watch my PHP Security video. It covers all the most common types of attacks that we as site admins face. At 45min long with live examples I dare say it's the best PHP security video on the web. 
[eluser]LuckyFella73[/eluser]
@Xeoncross I tried to watch your video but the film does not play though I updated my flash player ... Could you check that?
[eluser]bigtimslim[/eluser]
[quote author="LuckyFella73" date="1238851887"]@Xeoncross I tried to watch your video but the film does not play though I updated my flash player ... Could you check that?[/quote] I just watched it. Great vid btw, Xeoncross.
[eluser]Xeoncross[/eluser]
[quote author="LuckyFella73" date="1238851887"]I tried to watch your video but the film does not play though I updated my flash player[/quote] Yes, on some PC's with browsers like IE6 I have had the same trouble. If you can't watch it online then I recommend that you actually download the video. There is a save button next to each of my videos if you want to download any of them and watch them with whatever desktop app you want. (go VLC player!)
[eluser]Daniel Peraza[/eluser]
Thanks a lot to all of you for answering. I'll put your ideas in practice. I already activated global XSS filtering, meanwhile... |
| Welcome Guest, Not a member yet? Register Sign In |
