You are here: Home » Spotting Insecure Scripts

Spotting Insecure Scripts

With the current surge in "hackings" (or rather: script kiddies exploiting known holes to deface websites that don't support their view on the war) I've been going through a lot of scripts to find common and easy to fix vulnerabilities. With my fingers crossed, and perhaps a naive hope that people don't release scripts with massive holes anymore, I've been sorely disappointed.

I don't want to give away names and details as of yet, because I'm waiting to hear back from a few script authors, but for those of you who're worried, go through your scripts and look out for stuff like this:

• INSERT INTO `table` VALUES ('$_POST[bla]', '$_POST[other-bla]') — this is a sign that data is being inserted into a database straight from the post superglobal array (i.e. straight from a form with no sanitisation)!
• if (isset($_COOKIE['bla'])) { $loggedin = true; } — this means that the script only checks to see if the cookie exists, and not to see if it's valid. A malicious user can create a cookie and be logged in without knowing any admin details.
• include($_GET['x']); — without any checking or validation of $_GET['x'], all sorts of files can be included through the URL, including malicious scripts on other servers, sensitive data from below-root folders, etc.
• echo $_POST['bla'] — all sorts of code could be placed in the field which is then echo-ed. Expect to have your pages broken, files destroyed, cookies stolen, etc.

If you see any of these things in your scripts, or bits of code you think aren't safe, get rid of the script. A little inconvenience while you find a secure alternative is better than losing years worth of data because somebody fancied their chances as a "hacker". Take this advice from someone who has lost their data on multiple occasions (and still probably doesn't back up enough): me!

If you want to check the security of a chunk of code, feel free to paste it here (or better yet, in an email, as it's less likely to be broken by my own security measures). If I don't know what's wrong with it, I know of several of my visitors with a greater knowledge of PHP security who will. I'll also be able to help suggest alternatives to scripts you're using based on my knowledge of them, where necessary.

Comments (11)

1. 

   On Sat 19th Aug 2006 @ 00:57, Lynn said:

   Hmm. What about the general scripting for Wordpress?

2. 

   On Sat 19th Aug 2006 @ 02:04, Stephanie said:

   Yeah, how is WP as far as scripting goes? Or, have you not even tackled it?

3. 

   On Sat 19th Aug 2006 @ 02:42, Julie said:

   Losing data sucks. No matter how pointless fanlistings are, losing several months of members is very frustrating. (5 minutes of this mac got me lost)

4. 

   On Sat 19th Aug 2006 @ 04:55, Aravis said:

   I'm also curious about Wordpress. Does the latest version have any security issues? Found a couple of bugs in the plugins myself, but nothing too big.

5. 

   On Sat 19th Aug 2006 @ 10:02, Chans said:

   If it wasn't for you Jem, I think more people would lose their data. Thanks for trying to make the web 'safer' .

6. 

   On Sat 19th Aug 2006 @ 12:43, Nan said:

   A list of the scripts you stumble upon that IS secure would indeed be helpful too.

7. 

   On Sun 20th Aug 2006 @ 09:54, mae said:

   Really?... ummm I can ask you for help? err... aren't you busy.. yet?

8. 

   On Sun 20th Aug 2006 @ 23:33, Montoya said:

   guys, wordpress gets more and more secure every day. Just keep it updated and you'll be far ahead of any script kiddies.

9. 

   On Mon 21st Aug 2006 @ 22:29, King Echo said:

   Honestly, I don't understand most of this stuff still. I've just begun making things myself, prior to that most everything was just done the plain old hard way by hand coding every bit of HTML. I still do not understand how dynamic includes are unsafe. They can pick up pages from other sites and run them? I do understand the post part, though. I used to be part of a blogging community where some people started coming by and inserting code into the comment forms and ruining peoples blogs. I, of course, was never cool enough to attract the attention.

10. 

    On Mon 21st Aug 2006 @ 22:30, King Echo said:

    Pffff, I accidentally named myself 'K' on that last gone-to-moderation comment. Don't you trust me yet, Jem? ~bats lashes

11. 

    On Mon 21st Aug 2006 @ 22:33, Jem said:

    That's exactly it Echo - by leaving the dynamic includes open to everything, people can 'pick up' (as you put it) pages from other sites. This becomes a problem if a nasty person codes a page specifically to steal passwords or cookies/etc and then tries to include that file via the dynamic includes. (And I trust you fine, it's my moderation that doesn't - when you use a different name )

Comments closed



This entry was posted on Fri 18th Aug 2006 @ 17:52, and there are currently 11 comments. Leave your own?

Tags:

If you like this entry, you may also like:

• no related posts.

« previous: BellaBuzz into WordPress

Enjoyed this entry?
Then why not subscribe to my blog.

Copyright © Jem Turner 2002-2009 · 960 · Site Map · Typo Reporter