Lazy coding got the better of me as one of the sites I built got hacked. The site is running on a custom php framework I built. Security wise it was still too infant and alot of security needs to be patched. Through SQL Injection via the URL the hacker was able to get into my database and eventually cracked a user’s password then posted an XSS script on the CKEditor which eventually got the site compromised further.
1. To avoid SQL injection, if your query string is something like
script-kiddies and hackers love this, make sure you sanitize the variables before you do a select query on your database, a simple index.php?page=news&1=1 could expose your db.
a. First turn off magic_quotes, you should stop using this as its deprecated and causes a bit of confusion from addslashes/stripslashes.
b. To sanitize here are a couple of functions you can use, strip_tags() and mysql_real_escape_string() functions, use them on your passed variable before you use in a select or insert statement.
c. Learn how to use apache_mod_rewrite, you can rename your query strings plus its a good SEO tool so from
index.php?page=news to something like /page/news/
2. If you have users in your system make sure their passwords are strong enough. Use uppercase, lowercase, characters etc.. If a hack was able to do an SQL Injection and got hold of your database info and users, they can reverse md5 a weak password in seconds.
NOTE: For testing I used a tool to try SQL Injection on a copy of the website on my localhost, I was able crack it in less than 5 minutes. Thats how fast a hacker can compromise your system if security is weak.
If you see the alert box your very susceptible to XSS attack.
Since CKEditor outputs HTML you can’t do strip_tags as it will strip away your HTML unless you pass it some parameters. A better way is to install HTMLPurifier, its free and opensource. Using it will dramatically reduce the chances of getting an XSS attack on your editor.
4. If you are using CKFinder you must properly set the CheckAuthentication function, simply stating true will allow anybody who knows the location of the file to upload any file to your system. Good thing CKFinder upload is disabled for files with .php extensions or the renamed shell script from (file.php to file.php.pdf) would have compromised my server further.