| Tips For Securing Your Dynamic Website|
By Vesselin Drangajov
The recent boom in open source development has presented an unique opportunity to webmasters. Now everyone can manage a site with advanced tools such as forums, shopping cart , gallery or blog with out having to invest neither too much money nor time in this. However there are a number of security dangers that the novice webmaseter should beware of when using open source applications and dynamic web scripts written in PHP or Perl . This article is meant to underline some of them.
Few webmasters realize the full responsibility they carry for maintaining their sites and especially for securing the software they use. Since scripts such as forums, shopping carts and galleries are interactive they require a server side scripting language – such as PHP or Perl and a database to run properly. This however often leaves sites vulnerable to attack by realized through code errors. Also known as exploits these code errors enable hackers , spammers and other Internet offenders to deface websites and carry out other illegal activities.
The most common type of site abuse is the using the websites as drones for illegal activities such as SPAM or virus distributions. A common way of doing this is by using faulty ‘Contact us’ email form scripts that customers use. Those scripts are really simple but still many of their developers just did not realize that someone can and probably will turn them into an open-relay.
Those scripts work with an HTML form which contains the different input fields that need to be emailed. Those include Subject , Message and other information that the form will collect form the visitor. The weakness that those scripts exploit is the fact the often developers also put the ‘To’ or ‘Cc’ fields in the HTML form as well. Once the customer fills in the form he is forwarded to a dynamic scripts which takes the filled in fields and executes the ‘mail()’ function found in both PHP and Perl.
Hackers abuse this by sending a modified request to the dynamic mailing script so that it send messages to emails from their spam lists. Since our – and most other web hosts’ servers generally are not sources of spam these spam messages run a lower risk of being detected by the receiving server.
The solution to this problem is simple - when creating the HTML form you should only put in Subject or Text fields in it. All the other information – such as To, From , CC or BCC email should be specified explicitly in the dynamic PHP or Perl script. In this way you can be sure your email forms are spam proof.
Another common problem that more complicated scripts and web applications face is artbitrary code execution – or the ability of hackers to execute random commands on your hosting account. Generally the hosting server would not be harmed by these vulnerability – since the commands can be executed only within your hosting account. In this way however hackers can destroy your website or even steal sensitive content or database information.
If you are a web programmer you should know how to secure your scripts against such attacks. If you however use open-source applications such as forums , galleries or shopping cart the solutions is simple – always update. All reliable open source applications have home or development community pages where they regularly publish update information and security alerts. Also most mature applications have detailed – and in most cases easy to follow instructions on how to update. Also important security updates for the most popular open source applications such as PhpBB , osCommerce or Joomla would be featured in the Linux security bulletins. It is always a good idea to have you or your web developer subscribed to them.
Still if you are not sure how you can upgrade or protect your software ask a question in the support forums and you will certainly get a quick answer. If you are completely lost you can also ask your hosting provider. If they are sagacious enough they would help you since it will protect their interest/servers as well.
Another common problem that database driven applications face is called SQL injection. It occurs when the information that is submitted for a given script is not secured properly. For example if you have a mailing list and a script with which subscribers can update their email an HTML form would submit to the PHP script a field called email . The PHP script would execute a command to the database which would look like:
UPDATE `customers` SET `email`=’New Email’ WHERE ...
An offender however can again submit the form with specially crafted content so that he has submitted not only the information that should be updated but also a harmful database query or command that will be executed.
UPDATE `customers` SET `email`=’New Email’ WHERE harmful SQL command ; ....
The way to do this is to properly escape - replace characters that can tamper with the database commands. In this way even if the hacker send “New email ‘ WHERE” through the form the script will secure this as “New email \’ WHERE “ .
The Open source revolution is probably one of the best things that has happened to the Internet for the past 10 years. It has meant that now you can get much more for less. You can also quickly create applications using the shared knowledge or expertise of others. Webmasters and hosts should still work carefully and vigilantly to make sure that a site’s online presence and the Net as a whole remain safe.