April 29th, 2002, 02:31 AM
Is this php script secure?
Hi friends. I made a login script for my website. I personally think it is pretty safe but I was wondering what you guys think. Tell me if you see any vulnerabilities or exploits that I should patch up. How could people crack it?
April 29th, 2002, 02:59 AM
Post the source code then poeple will be able to help you. Otherwise there's no way of telling how secure the script is.
OpenBSD - The proactively secure operating system.
April 29th, 2002, 03:08 AM
Depends what kind of encryption you using in your database. If it's just plain text then you should slap your self on the back of your head. Also where is the source at?
June 18th, 2002, 01:24 AM
well I cant even see the page but the source would be good.
[glowpurple]A_420_hacker_24::.\"A man without a computer is just a man, a man with a computer is a Admin\" ... \"If its not 4:20 on your clock, it\'s time to change the time\"..:Quotations from Larry Wall:.
\"I think you didn\'t get a reply because you used the terms \"correct\" and \"proper\", neither of which has much meaning in Perl culture. :-) \"
June 18th, 2002, 01:51 AM
June 18th, 2002, 06:38 AM
I scaned the site checking the tree and then entered http://www.pheeble.com/v5/ as being the second page after the intro and it let me right in. Never saw any kind of a login script. So I would venture it's not to secure if I can traverse the directory tree and pull up any page I wish.
The COOKIE TUX lives!!!!
Windows NT crashed,I am the Blue Screen of Death.
No one hears your screams.
June 18th, 2002, 09:09 AM
No, that doesn't sound terribly secure, does it?
But then, he may not have implemented it yet; he could just be testing the login at this point...
WE ARE the anti cancer...
WE ARE the only answer...
July 11th, 2002, 01:11 PM
Well, inside the httpd.conf (I'm going to assume we're talking apache here because that's my knowledge base, not IIS), in the intial <Directory> for this page, I would take Indexes out of the Options list. This prevents people from scanning/traversing directory trees.
As for the php, we can't see the code so we can't check!
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.