Prev: DOMDocument::loadXML() failed when parsing comments inside a script tag
Next: combo box validation
From: Igor Escobar on 7 Jun 2010 09:16 This was my fear. Regards, Igor Escobar Systems Analyst & Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind <peter.e.lind(a)gmail.com> wrote: > On 7 June 2010 14:54, Igor Escobar <titiolinkin(a)gmail.com> wrote: > > Hi Folks! > > > > The portal for which I work is suffering constant attacks that I feel > that > > is PHP Injection. Somehow the hacker is getting to change the cache files > > that our system generates. Concatenating the HTML file with another that > > have an iframe to a malicious JAR file. Do you have any suggestions to > > prevent this action? The hacker has no access to our file system, he is > > imputing the code through some security hole. The problem is that the > portal > > is very big and has lots and lots partners hosted on our estructure > > structure. We are failing to identify the focus of this attacks. > > > > Any ideas? > > > > Check all user input + upload: make sure that whatever comes from the > user is validated. Then check all output: make sure that everythin > output is escaped properly. Yes, it's an enormous task, but there's no > way around it. > > Regards > Peter > > -- > <hype> > WWW: http://plphp.dk / http://plind.dk > LinkedIn: http://www.linkedin.com/in/plind > BeWelcome/Couchsurfing: Fake51 > Twitter: http://twitter.com/kafe15 > </hype> >
From: Igor Escobar on 7 Jun 2010 09:21 I do not believe he is doing so through forms but PHP Injection. We have already met one of the files that he used to make the concatenation of the cache files. Need to know if there is a tool, anything, that we can install on the server and identify the hacker more easily because the manual labor is not giving much result. Thanks for all support! Regards, Igor Escobar Systems Analyst & Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 10:08 AM, Phpster <phpster(a)gmail.com> wrote: > > On Jun 7, 2010, at 8:54 AM, Igor Escobar <titiolinkin(a)gmail.com> wrote: > > Hi Folks! >> >> The portal for which I work is suffering constant attacks that I feel that >> is PHP Injection. Somehow the hacker is getting to change the cache files >> that our system generates. Concatenating the HTML file with another that >> have an iframe to a malicious JAR file. Do you have any suggestions to >> prevent this action? The hacker has no access to our file system, he is >> imputing the code through some security hole. The problem is that the >> portal >> is very big and has lots and lots partners hosted on our estructure >> structure. We are failing to identify the focus of this attacks. >> >> Any ideas? >> >> >> Regards, >> Igor Escobar >> Systems Analyst & Interface Designer >> >> + http://blog.igorescobar.com >> + http://www.igorescobar.com >> + @igorescobar (twitter) >> > > Can you implement a simple form dump process that would catch the form name > an the data being entered and save that? That would allow you to at least > see what script has the hole as you trap it. > > Bastien > > Sent from my iPod > >
From: "Bob McConnell" on 7 Jun 2010 09:39 There should be some clues in your httpd logs if it is coming in on the http request. Otherwise, you need to beef up the input sanitization all across the board. Some of that might be caught by verifying the users all have current versions of their applications in place. Bob McConnell -----Original Message----- From: Igor Escobar [mailto:titiolinkin(a)gmail.com] Sent: Monday, June 07, 2010 9:21 AM To: Phpster Cc: <php-general(a)lists.php.net> Subject: Re: [PHP] Security Issue I do not believe he is doing so through forms but PHP Injection. We have already met one of the files that he used to make the concatenation of the cache files. Need to know if there is a tool, anything, that we can install on the server and identify the hacker more easily because the manual labor is not giving much result. Thanks for all support! Regards, Igor Escobar Systems Analyst & Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 10:08 AM, Phpster <phpster(a)gmail.com> wrote: > > On Jun 7, 2010, at 8:54 AM, Igor Escobar <titiolinkin(a)gmail.com> wrote: > > Hi Folks! >> >> The portal for which I work is suffering constant attacks that I feel that >> is PHP Injection. Somehow the hacker is getting to change the cache files >> that our system generates. Concatenating the HTML file with another that >> have an iframe to a malicious JAR file. Do you have any suggestions to >> prevent this action? The hacker has no access to our file system, he is >> imputing the code through some security hole. The problem is that the >> portal >> is very big and has lots and lots partners hosted on our estructure >> structure. We are failing to identify the focus of this attacks. >> >> Any ideas? >> >> >> Regards, >> Igor Escobar >> Systems Analyst & Interface Designer >> >> + http://blog.igorescobar.com >> + http://www.igorescobar.com >> + @igorescobar (twitter) >> > > Can you implement a simple form dump process that would catch the form name > an the data being entered and save that? That would allow you to at least > see what script has the hole as you trap it. > > Bastien > > Sent from my iPod > >
From: Michael Shadle on 7 Jun 2010 13:38 It's not that bad. Use filter functions and sanity checks for input. Use htmlspecialchars() basically on output. That should take care of basically everything. On Jun 7, 2010, at 6:16 AM, Igor Escobar <titiolinkin(a)gmail.com> wrote: > This was my fear. > > Regards, > Igor Escobar > Systems Analyst & Interface Designer > > + http://blog.igorescobar.com > + http://www.igorescobar.com > + @igorescobar (twitter) > > > > > > On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind <peter.e.lind(a)gmail.com> > wrote: > >> On 7 June 2010 14:54, Igor Escobar <titiolinkin(a)gmail.com> wrote: >>> Hi Folks! >>> >>> The portal for which I work is suffering constant attacks that I >>> feel >> that >>> is PHP Injection. Somehow the hacker is getting to change the >>> cache files >>> that our system generates. Concatenating the HTML file with >>> another that >>> have an iframe to a malicious JAR file. Do you have any >>> suggestions to >>> prevent this action? The hacker has no access to our file system, >>> he is >>> imputing the code through some security hole. The problem is that >>> the >> portal >>> is very big and has lots and lots partners hosted on our estructure >>> structure. We are failing to identify the focus of this attacks. >>> >>> Any ideas? >>> >> >> Check all user input + upload: make sure that whatever comes from the >> user is validated. Then check all output: make sure that everythin >> output is escaped properly. Yes, it's an enormous task, but there's >> no >> way around it. >> >> Regards >> Peter >> >> -- >> <hype> >> WWW: http://plphp.dk / http://plind.dk >> LinkedIn: http://www.linkedin.com/in/plind >> BeWelcome/Couchsurfing: Fake51 >> Twitter: http://twitter.com/kafe15 >> </hype> >>
From: Igor Escobar on 7 Jun 2010 13:42
It's not a SQL Injection or XSS problem, Michael. It's a PHP Injection problem. I know how fix that but the web site is very very huge, have lots and lots of partners and i'm have a bug difficult do identify the focus of the problem. Got it? Regards, Igor Escobar Systems Analyst & Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 2:38 PM, Michael Shadle <mike503(a)gmail.com> wrote: > It's not that bad. > > Use filter functions and sanity checks for input. > > Use htmlspecialchars() basically on output. > > That should take care of basically everything. > > > On Jun 7, 2010, at 6:16 AM, Igor Escobar <titiolinkin(a)gmail.com> wrote: > > This was my fear. >> >> Regards, >> Igor Escobar >> Systems Analyst & Interface Designer >> >> + http://blog.igorescobar.com >> + http://www.igorescobar.com >> + @igorescobar (twitter) >> >> >> >> >> >> On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind <peter.e.lind(a)gmail.com> >> wrote: >> >> On 7 June 2010 14:54, Igor Escobar <titiolinkin(a)gmail.com> wrote: >>> >>>> Hi Folks! >>>> >>>> The portal for which I work is suffering constant attacks that I feel >>>> >>> that >>> >>>> is PHP Injection. Somehow the hacker is getting to change the cache >>>> files >>>> that our system generates. Concatenating the HTML file with another that >>>> have an iframe to a malicious JAR file. Do you have any suggestions to >>>> prevent this action? The hacker has no access to our file system, he is >>>> imputing the code through some security hole. The problem is that the >>>> >>> portal >>> >>>> is very big and has lots and lots partners hosted on our estructure >>>> structure. We are failing to identify the focus of this attacks. >>>> >>>> Any ideas? >>>> >>>> >>> Check all user input + upload: make sure that whatever comes from the >>> user is validated. Then check all output: make sure that everythin >>> output is escaped properly. Yes, it's an enormous task, but there's no >>> way around it. >>> >>> Regards >>> Peter >>> >>> -- >>> <hype> >>> WWW: http://plphp.dk / http://plind.dk >>> LinkedIn: http://www.linkedin.com/in/plind >>> BeWelcome/Couchsurfing: Fake51 >>> Twitter: http://twitter.com/kafe15 >>> </hype> >>> >>> > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > |