PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Dec 19, 2018 11:20 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: hacking by url rewriting
PostPosted: Fri Aug 22, 2014 8:16 am 
Offline
Forum Newbie

Joined: Fri Aug 22, 2014 8:11 am
Posts: 3
Hi all,

I have a security problem with my website who is a social network (like facebook).
Let's me Explain :

You can execute this page on my website.
http://www.SocialNetWork.com/ChangeStat ... aram=Hello
So your status become "Hello".

On your profile, you can create a link to a picture on the web, for example : <img src='http://www.hacking.com/pic.jpg'>

The problem is that a "hacker" create several russian girl profile and made links to pic.jpg on his server, and this .jpg file rewrite URL to : http://www.SocialNetWork.com/ChangeStat ... param=Suck.
So when you visite his profil, the php code is launched, and the status OF THE VISITOR is changed !

I have no idea of how to stop this ?
If i check the variable : $_SERVER['HTTP_REFERER']
The value is empty or http://www.SocialNetWork.com, but never http://www.hacking.com ...

How can i stop the fact that a foreign picture could launch a php page on my website ?

thanks for help !
ps: sorry for my english


Top
 Profile  
 
PostPosted: Fri Aug 22, 2014 8:21 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
Require some sort of verifiable token with every submission. If the token is missing or incorrect, discard the request.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Fri Aug 22, 2014 8:22 am 
Offline
Forum Newbie

Joined: Fri Aug 22, 2014 8:11 am
Posts: 3
nice !
could you give me an example ?


Top
 Profile  
 
PostPosted: Fri Aug 22, 2014 8:30 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
Generate a random token -- hash microtime() and use the user's email as a salt, for instance -- and store that somewhere on the server. Sessions are a good option. Also insert the value in a hidden field in your form. When the form is submitted, compare the value contained in the hidden field with the value contained in session data. If they match, allow the request. If not, dump it.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Sat Sep 13, 2014 8:37 pm 
Offline
Forum Contributor
User avatar

Joined: Mon Apr 14, 2008 11:06 pm
Posts: 158
Hi, hope this code helps:



Syntax: [ Download ] [ Hide ]
 
<?php
 $page_files=array( 'about'=>'about.html',

                    'photos'=>'photos.html',

                    'contact'=>'contact.html',

                    'home'=>'home.html'

                  );

 

if (in_array($_GET['page'],array_keys($page_files))) {

      include $page_files[$_GET['page']];

 } else {

      include $page_files['home'];

}

?>


Regards,


Batoe


Top
 Profile  
 
PostPosted: Sun Sep 14, 2014 12:37 am 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
The token Celauran speaks of is how you deal with "cross-site request forgery", that being the name for the vulnerability. In case you want to learn more about it.

Note that you can make the form use POST instead of GET, and in fact you should do that anyways, but it alone will not protect you. (Makes the problem more awkward to trigger maliciously, but still possible.)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group