Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
djmaze
Subject Matter Expert


Joined: May 15, 2004
Posts: 719
Location: http://tinyurl.com/5z8dmv

PostPosted: Thu Dec 02, 2004 7:45 am Reply with quote

I've tried something and it all works so here are some security advicesories

Be shure no-one can recieve your login name and password in any form like cookie or encrypted.

PHP has the option to send/recieve data from/to an website and that way you can simulate browser, cookies, http_referer, etc.
So there's totally no need to hack into your browser and modify cookies to gain control over an website since PHP can do it all.

The hacker could create an account at lycos, for example, and upload an script that hacks into your website.
Then if your sentinel locks the IP it locks the lycos server and not the hacker.
The hacker moves on to another free hosting site and tries again.

Does he ever get caught you think ? No, since there is no logging on the server to check with which websites PHP makes connections.

Does the IP blocking has drawbacks ? Yes, other lycos websites can't access your RSS feed to show your news articles
 
View user's profile Send private message Visit poster's website
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Thu Dec 02, 2004 7:59 am Reply with quote

I think this is a long standing issue with the way cookies are designed in phpnuke. I've ranted on the topic several times but since it is a core function I don't feel we can make substancial changes to it. I think a crypt of cookie encode and decrypt decode would be great it would also make forged cookies much tougher to design.

I think most of us are aware of the potential issues of blocking IP addresses and ranges. I think that the expire feature in Nuke Sentinel is under used and perhaps the best method for working around the issue. Simular to better firewalls a 600 second block can be more effective then a lifetime one.

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Thu Dec 02, 2004 8:02 am Reply with quote

This, of course, is true about anything web related. Proxies present similar problems. Dynamic IP's also. I have had to release IP's that now belong to someone else. I would be more concerned about HOW he uploaded a script. That's the real issue with this scenario that you present.
 
View user's profile Send private message
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©