Protection from SQL Injection and XSS Attack on CKEditor

Lazy coding got the better of me as one of the sites I built got hacked. The site is running on a custom php framework I built. Security wise it was still too infant and alot of security needs to be patched. Through SQL Injection via the URL the hacker was able to get into my database and eventually cracked a user’s password then posted an XSS script on the CKEditor which eventually got the site compromised further.

So here are some tips on how to patch up your system based on experience, you can do further reading on the topics.
1. To avoid SQL injection, if your query string is something like

index.php?page=news

script-kiddies and hackers love this, make sure you sanitize the variables before you do a select query on your database, a simple index.php?page=news&1=1 could expose your db.

a. First turn off magic_quotes, you should stop using this as its deprecated and causes a bit of confusion from addslashes/stripslashes.

b. To sanitize here are a couple of functions you can use, strip_tags() and mysql_real_escape_string() functions, use them on your passed variable before you use in a select or insert statement.

c. Learn how to use apache_mod_rewrite, you can rename your query strings plus its a good SEO tool so from

index.php?page=news to something like /page/news/

2. If you have users in your system make sure their passwords are strong enough. Use uppercase, lowercase, characters etc.. If a hack was able to do an SQL Injection and got hold of your database info and users, they can reverse md5 a weak password in seconds.

NOTE: For testing I used a tool to try SQL Injection on a copy of the website on my localhost, I was able crack it in less than 5 minutes. Thats how fast a hacker can compromise your system if security is weak.

3. WYSIWG CKEditor is a great tool but it opens alot of vulnerability, without properly sanitizing the input you can put in malicous javascript codes. Test your editor by entering

alert(“Test”)

If you see the alert box your very susceptible to XSS attack.

Since CKEditor outputs HTML you can’t do strip_tags as it will strip away your HTML unless you pass it some parameters. A better way is to install HTMLPurifier, its free and opensource. Using it will dramatically reduce the chances of getting an XSS attack on your editor.

4. If you are using CKFinder you must properly set the CheckAuthentication function, simply stating true will allow anybody who knows the location of the file to upload any file to your system. Good thing CKFinder upload is disabled for files with .php extensions or the renamed shell script from (file.php to file.php.pdf) would have compromised my server further.

Post Author: lopau

1 thought on “Protection from SQL Injection and XSS Attack on CKEditor

    Omar

    (February 14, 2012 - 9:55 am)

    Thanks man. Very useful information. Props!

Leave a Reply

Your email address will not be published. Required fields are marked *