0

My company's website just got hacked, and I'm now restoring the website with extra caution. The company wants the site up as soon as possible so I don't have enough time to actually re-code the software's vulnerabilities away, so I'm restoring it after doing the following:

  1. Disabling all input forms from the website. (Basically, for all forms that said action = someform.php I just renamed someform.php on the server to someform1.php so that nothing actually gets to the database. I will deal with PDO and protection from SQL injections later).
  2. With no forms left, there's no $_POST input to take care of, but there's still $_GET. For every page that takes in a query string, I've put a check on every $_GET[''] variable and made sure to only process it when it's numeric as it should be. eg. if(isset($_GET['page_id']) && is_numeric($_GET['page_id'])) { /* do something */ }. The hacker seemed to have broken through using SQL injections.
  3. With another section of the website (accessible only to company staff at the moment), I've made it a password protected folder. I know a hacker could still use anonymous FTP or get in using other ways, but I'm hoping at least to avoid SQL injections initially, so I thought the password protected folder would help. This is on top of an existing secure login.
  4. I'm now worried about the URL. I'm not sure how secure it is or isn't, it's a bilingual website, and this is the way it's going (this part of the code is by the previous developer and I don't really understand it):

if($_SERVER['SERVER_NAME'] == 'localhost' || $_SERVER['SERVER_NAME'] == 'salman'){
    $url =zeej_dir.curPageName().'?'.$_SERVER["QUERY_STRING"];
} else {
    $url ='/'.curPageName().'?'.$_SERVER["QUERY_STRING"];
}
$change_url = "http://".$_SERVER['SERVER_NAME'].$url;


if($_SESSION['ln'] == 'en'){ 
        echo '<img src="'.getSiteUrl().'images/arabicicon.jpg" alt="Arabic" width="15" height="15" />';
        echo '<a href="'.getSiteUrl().'change_session.php?page_url='.base64_encode( $change_url ).'" class="top_frametext">Arabic</a>';
    } else {
        echo '<img src="'.getSiteUrl().'images/engicon.jpg" alt="English" width="15" height="15" />';
        echo '<a href="'.getSiteUrl().'change_session.php?page_url='.base64_encode( $change_url ).'" class="top_frametext">English</a>';
    }

And this is the code for change_session.php:

@session_start();
$page_url = isset($_REQUEST['page_url'])?$_REQUEST['page_url']:'';

if($_SESSION['ln'] == 'en'){
    $_SESSION['ln'] ='ar';
} else {
    $_SESSION['ln'] ='en';
}

header("location: ".base64_decode($page_url));exit;

Are there some vulnerabilities here via the URL? Or am I reasonably secured so far?

user961627
  • 12,379
  • 42
  • 136
  • 210
  • How do you know it was a vulnerability in your PHP scripts that got exploited? – Gumbo May 19 '13 at 11:14
  • Well honestly initially I think the hacker uploaded a malicious file through our image uploader (because it didn't check MIME types), but after that I know for sure that there were vulnerabilities in the PHP code because the database then had rows where products had IDs like `cd /etc/pwd`, and all sorts of other crazy things in the database. – user961627 May 19 '13 at 11:17
  • I think there is nothing here to be hacked, what you should do is check the following: **1)** Fix all the queries to prevent SQLinjections **2)** If you have an upload form, make it stricter, check for the file size, [file type](http://php.net/manual/en/ref.fileinfo.php) and if it's an image you may even "reconvert" it. **3)** Make sure you have strong passwords **4)** I hope for you that mysql DB is only accessible via localhost **5)** Make sure that **you** aren't infected with something like a keylogger – HamZa May 19 '13 at 11:36
  • **6)** Make sure that the admin panel is not easy to bruteforce **7)** If you're on a shared server, there is a possibility that another site were hacked and that the hacker got from the other virtual server to yours if it's not secured enough, here you have a big problem: report it to your hosting provider or change the hosting provider. **8)** If you're on a VPS/Dedicated server, be sure to have it up to date and install a security software on the server if possible. – HamZa May 19 '13 at 11:37
  • **9)** Ultimately try to view it from a hacker's perspective, how would you hack it ? You may even try some hacking/testing tools like [burp suite](http://portswigger.net/burp/) and [sqlmap](http://sqlmap.org/). *Note: make sure you have permission to do this.* – HamZa May 19 '13 at 11:38

1 Answers1

-1

One hint/note: Regarding the SQL injection you mentioned, make sure that you're ALWAYS AND EVERYWHERE using http://php.net/manual/en/pdo.prepared-statements.php

Regarding the changing the language (in session). The code seems safe since nobody could inject or change something.

Under the line:

However, I see one problem in your URL construction. It uses base64_encode method to make the URL "secure". However, anybody can decode it (since its simply a base64 encoding). I long-term, you may try using some symetric encryption with genereted key stored in user's session. This way, nobody would use URL generated for somebody else.

Anyway, changing the language is harmless in this case. The above mentioned proposal was for resources/operations that really needs to be secured. I mean that only authorized person could access it (and not just have the stolen URL). There are, of course, other ways how to protect your site. This is just one practical advice.

Rostislav Stribrny
  • 157
  • 5
  • I know, but my company's in a hurry.... http://stackoverflow.com/questions/16634120/mysql-and-php-fixes-to-replicate-pdo-security – user961627 May 19 '13 at 11:22
  • 1
    Start monitoring the network (apache logs). The intruder may be also inside. You may also see concrete IP address, and disable it. You can also enable your site just for well-known networks (just your office, just your country, etc.) – Rostislav Stribrny May 19 '13 at 11:26