Guestbook Security
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Guestbook Security

  1. #1
    Senior Member
    Join Date
    Jun 2002
    Posts
    148

    Guestbook Security

    I would like some sugestions on how I can secure my very first guestbook.

    As many of you are aware, I have set up my computer as a web server. This has made me more aware of security. Since then I have installed and configured PHP suport in my server. I have also been working on creating my own guestbook instead of relying on someone elses work.

    The guestbook will be done with a combination of php, javascript and html, since I am new to php I cant do it all with PHP yet. Ok so here is the deal:

    I have been made aware that html and SSI includes could be contructed in a guestbook entery such that it would execute a binary on the server, or delete files, ext...

    To fix this I devised a plan. I will create a JavaScript form verifier that will look at each field and determine if the corect format of information has been entered. Once the JavaScript aproves of the form, it will be sent to my PHP script, which will then strip out any HTML, SSI or JavaScript from all the fields, format the whole thing as one string, store it in a file, and display it to the user.

    I so far have got my php script to strip all HTML Javascript and any SSI from all fields, also my form verifier is now complete.

    However I have a few more concerns that I would like your advice for and here they are:

    First it was sugested to me that I use expose_php = off in my php.ini file, which I have done, to reduce information available to atackers, and to use a weird file extension for php MIME type:

    AddType application/x-httpd-php .asp .py .pl

    My question: Do you recomend changeing the default php extension, and are there any other security considerations I may be overlooking

    I am aware that turning on php in my server is now a major security concern as now atackers can locate my php files, and try to exploit them. I am known to be a very sloppy programer periodicaly, you may call me a spagetti programer, althout I dont use any goto statements are anything like that. I dont want to do a sloppy job with my very first guestbook and end up with a dosen security holes.

    Can you give me some sugestions on how I can make this guestbook secure. I am now thinking that useing a javascript form checker may have been a bad choice as people can download the source, modify the javascripot, and run it, and i will have know way of knowing my code has been modified, how can I prevent this?
    In snatches, they learn something of the wisdom
    which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~

  2. #2
    Senior Member
    Join Date
    Jun 2002
    Posts
    148

    Guestbook Security

    I would like some sugestions on how I can secure my very first guestbook.

    As many of you are aware, I have set up my computer as a web server. This has made me more aware of security. Since then I have installed and configured PHP suport in my server. I have also been working on creating my own guestbook instead of relying on someone elses work.

    The guestbook will be done with a combination of php, javascript and html, since I am new to php I cant do it all with PHP yet. Ok so here is the deal:

    I have been made aware that html and SSI includes could be contructed in a guestbook entery such that it would execute a binary on the server, or delete files, ext...

    To fix this I devised a plan. I will create a JavaScript form verifier that will look at each field and determine if the corect format of information has been entered. Once the JavaScript aproves of the form, it will be sent to my PHP script, which will then strip out any HTML, SSI or JavaScript from all the fields, format the whole thing as one string, store it in a file, and display it to the user.

    I so far have got my php script to strip all HTML Javascript and any SSI from all fields, also my form verifier is now complete.

    However I have a few more concerns that I would like your advice for and here they are:

    First it was sugested to me that I use expose_php = off in my php.ini file, which I have done, to reduce information available to atackers, and to use a weird file extension for php MIME type:

    AddType application/x-httpd-php .asp .py .pl

    My question: Do you recomend changeing the default php extension, and are there any other security considerations I may be overlooking

    I am aware that turning on php in my server is now a major security concern as now atackers can locate my php files, and try to exploit them. I am known to be a very sloppy programer periodicaly, you may call me a spagetti programer, althout I dont use any goto statements are anything like that. I dont want to do a sloppy job with my very first guestbook and end up with a dosen security holes.

    Can you give me some sugestions on how I can make this guestbook secure. I am now thinking that useing a javascript form checker may have been a bad choice as people can download the source, modify the javascripot, and run it, and i will have know way of knowing my code has been modified, how can I prevent this?
    In snatches, they learn something of the wisdom
    which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    The golden rule for web application security is "NEVER EVER trust client side information".

    Any data that your web application is going to receive needs to be tested server side and validated to prove that it is what it should be. For example if it should be a number between 0-10 then make sure that it is. If these tests are done client side i.e. by JavaScript. It would take anyone with a small amount skill about 10 seconds of works to bypass it. All these tests need to done in your PHP code as well.

    Your PHP source code should be hidden from the user by the web server, but to make sure, give the files only execute rights, not read and not write. This means the OS should stop any one from reading the PHP source code.

    Hope that helps
    As you are doing a guest book, how are you planning to store the data?

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    The golden rule for web application security is "NEVER EVER trust client side information".

    Any data that your web application is going to receive needs to be tested server side and validated to prove that it is what it should be. For example if it should be a number between 0-10 then make sure that it is. If these tests are done client side i.e. by JavaScript. It would take anyone with a small amount skill about 10 seconds of works to bypass it. All these tests need to done in your PHP code as well.

    Your PHP source code should be hidden from the user by the web server, but to make sure, give the files only execute rights, not read and not write. This means the OS should stop any one from reading the PHP source code.

    Hope that helps
    As you are doing a guest book, how are you planning to store the data?

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  5. #5
    Senior Member
    Join Date
    Jun 2002
    Posts
    148
    Data will be stored in a txt file since I dont have enough Ram or CPU speed to use MySQL or any other database, I did try mySQL once when I thought that it was required for snort to work, I later learned that snort could work without any database server and that MySql was slowing down my computer.

    It is good thing you pointed out about server side verification, as I was going to do all validation with javascript , but now that you mention that, I will write some sort of validation on the server side, and at the same time use the javascript, perhaps knowing that if nobody messes with my javascript that I will recieve everything in the corect format, then when i check it with php I can open a window warning them that I detected they have modified my javascript

    I have Windows which was problably a bad desision to run a web server on due to security, but since I am strugleing with geting Red Hat linux to work with my graphics card, I took the chance and installed the web server on Windows. I did change some things such as a limit to 6 visitors at the same time, so if 7 people are trying to view my site at the same time, one will be locked out. And my error 404 as well as headers have been spoofed to reduce information spitted out.

    Is there any way in a FAT32 file system to restrict access to execute only? There are no user groups on my system.
    In snatches, they learn something of the wisdom
    which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~

  6. #6
    Senior Member
    Join Date
    Jun 2002
    Posts
    148
    Data will be stored in a txt file since I dont have enough Ram or CPU speed to use MySQL or any other database, I did try mySQL once when I thought that it was required for snort to work, I later learned that snort could work without any database server and that MySql was slowing down my computer.

    It is good thing you pointed out about server side verification, as I was going to do all validation with javascript , but now that you mention that, I will write some sort of validation on the server side, and at the same time use the javascript, perhaps knowing that if nobody messes with my javascript that I will recieve everything in the corect format, then when i check it with php I can open a window warning them that I detected they have modified my javascript

    I have Windows which was problably a bad desision to run a web server on due to security, but since I am strugleing with geting Red Hat linux to work with my graphics card, I took the chance and installed the web server on Windows. I did change some things such as a limit to 6 visitors at the same time, so if 7 people are trying to view my site at the same time, one will be locked out. And my error 404 as well as headers have been spoofed to reduce information spitted out.

    Is there any way in a FAT32 file system to restrict access to execute only? There are no user groups on my system.
    In snatches, they learn something of the wisdom
    which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    I guess that you are using IIS, which I have no experience in. But you can still make it secure even on windows, it's just that it is a lot easier on Linux.

    Have you tried apache for win32?

    But which ever web server you use it must be patched as soon as a new patch comes out.

    The fact that you are using a txt to hold the information sloves the problem of having to write validation against SQL injection. There for you need to protect against XSS. replace all < with &lt; and > with &gt; and ' with \' and " with &quot;. I think those are the main ones, does anyone wont to add any more?

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    I guess that you are using IIS, which I have no experience in. But you can still make it secure even on windows, it's just that it is a lot easier on Linux.

    Have you tried apache for win32?

    But which ever web server you use it must be patched as soon as a new patch comes out.

    The fact that you are using a txt to hold the information sloves the problem of having to write validation against SQL injection. There for you need to protect against XSS. replace all < with &lt; and > with &gt; and ' with \' and " with &quot;. I think those are the main ones, does anyone wont to add any more?

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  9. #9
    Senior Member
    Join Date
    Jun 2002
    Posts
    148
    I am useing a web server called keyfocus web server from www.keyfocus.net

    Yes I did try apache for windows, I unfortunately could not get it to work, but that was a long time ago, since then I have also tryed simple server from analog x, one called omnihttpd, windows httpd and website web server.

    I did get website, simple server and omni working, except for CGI, and since my origional idea was to use the server for local testing only I figured I would be safe. But omni was not working with CGI for me, so I found KF Web Server and am very pleased.

    Useing your sugestions for validation server side, I can see your point, that anyone can bypass the javascript, to prove it to myself I did it, I bypassed the javascript. So last night I found a tutorial on makeing a guestbook with php, from it I took the validation for email and form fields:

    if($nick == "" || $msges == "")
    and
    if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email) && $email != ""){


    I also used the strip_tags to strip any html ssi and javascript from form fields:

    $nick = strip_tags ($nick);
    $email = strip_tags ($email);
    $homepage = strip_tags ($homepage);
    $msges = strip_tags ($msges);
    $msges = ereg_replace('\\\"',"&quot;",$msges);
    $msges = ereg_replace("\\\'","'",$msges);
    $msges = nl2br($msges);

    I will add a few more checks, In javascript I already included a check to see if the maximum length for each field has been reached.

    Thank you for pointing that out to me, I hope to finish the PHP checking tonight. I have checked the site for keyfocus the other day but there were no updates available, but I expect on soon since looking at the patch history they seem to be releasing a patch every month or two.

    When I downloaded the PHP I made sure it was the latest version, but i hered somewhere that if you download the new and latest version of software as soon as it is released it can be a bad idea because thats when many exploits are found, Is this true? Should I wait a while before getting patches and updates?
    In snatches, they learn something of the wisdom
    which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~

  10. #10
    Senior Member
    Join Date
    Jun 2002
    Posts
    148
    I am useing a web server called keyfocus web server from www.keyfocus.net

    Yes I did try apache for windows, I unfortunately could not get it to work, but that was a long time ago, since then I have also tryed simple server from analog x, one called omnihttpd, windows httpd and website web server.

    I did get website, simple server and omni working, except for CGI, and since my origional idea was to use the server for local testing only I figured I would be safe. But omni was not working with CGI for me, so I found KF Web Server and am very pleased.

    Useing your sugestions for validation server side, I can see your point, that anyone can bypass the javascript, to prove it to myself I did it, I bypassed the javascript. So last night I found a tutorial on makeing a guestbook with php, from it I took the validation for email and form fields:

    if($nick == "" || $msges == "")
    and
    if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email) && $email != ""){


    I also used the strip_tags to strip any html ssi and javascript from form fields:

    $nick = strip_tags ($nick);
    $email = strip_tags ($email);
    $homepage = strip_tags ($homepage);
    $msges = strip_tags ($msges);
    $msges = ereg_replace('\\\"',"&quot;",$msges);
    $msges = ereg_replace("\\\'","'",$msges);
    $msges = nl2br($msges);

    I will add a few more checks, In javascript I already included a check to see if the maximum length for each field has been reached.

    Thank you for pointing that out to me, I hope to finish the PHP checking tonight. I have checked the site for keyfocus the other day but there were no updates available, but I expect on soon since looking at the patch history they seem to be releasing a patch every month or two.

    When I downloaded the PHP I made sure it was the latest version, but i hered somewhere that if you download the new and latest version of software as soon as it is released it can be a bad idea because thats when many exploits are found, Is this true? Should I wait a while before getting patches and updates?
    In snatches, they learn something of the wisdom
    which is of good, and more of the mere knowledge which is of evil. But must I know what must not come, for I shale become those of knowledgedome. Peace~

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •