Website Vulnerability Questions

Forum Moderators: phranque

Message Too Old, No Replies

Website Vulnerability Questions

palmpal

11:44 am on Jan 31, 2005 (gmt 0)

I would like to know more about what it means when a system is "hacked." I have a website that is hosted by a reputable hosting company. They run my site off an Apache server. Is this enough to prevent if from being hacked? Is the vulnerability with the hackers getting into their servers and ultimately my site or is it more that the hackers figured out how to access my specific site on the Apache server and can now do as they please (delete files?)? Is this more an issue with hackers figuring out the password to my control panel? Are there things on my local computer that make it easier for a hacker to get to my website? And finally, can the hacker modify the website on my local computer? I'm just trying to figure out if I should be worried about this and what steps I can do to protect my site. Thanks.

tomda

12:02 pm on Jan 31, 2005 (gmt 0)

You are always vulnerable...

First, you need to find out if your server is configurate with Register_global OFF or ON.

But, the MUST is to always check all variables, especially if you have forms (from simple guestbook to advance GD gallery) such as an username which is usually composed of a-z, A-Z, 0-9 and the _ sign only.

It is good to always check if the variable exists, if yes, then check it is correct; if not, give it a default value.

Also, you need to use the htmlentities() function to make sure that ", ' and any other special characters are replaced by standard encoding (utf-8 or ISO) before inserting data in your database. So you should encode before doing any update/addition and decode to echo the variable.

Lastly, placing an index file (index.html) in your include files and any other folder is recommended to hide the name of your include folder

If you are having difficulties, I may post some script when I will get more time.

Tomda