Simple Tips to keep Your scripts less vulnerable.

radhika · 01-04-2009, 05:42 PM

Today one of my client asked me to check one of his guestbook script, why it was redirecting to a p**n site. When I checked, some hackers manipulated his folder under this Guestbook script to upload some html files with redirect code.

Here are few simple things to protect your scripts:

* Always upgrade to new versions of software whatever it is. Because many bugs or security issues will be answered in new versions of software.

* Secure the adminpanels with secure passwords. (I have seen many people using regular names/words/simple 5 character passwords)

* Avoid 777 permission in script folders. (This is not always possible on all software. If scripts are running under your user ID, you may not need 777 permissions)

* Upload index.html/index.php (blank files) in images folder , or other script folders to avoid web accessible of all files in those folders.

* Disable attachments or uploads if you are hosting forums or guestbooks. Because these features need 777 permission for folders.

* Form handling: If you have forms on your site, make sure the form input data is processed by the scripts (like with Regexp) before entering into your database.

* Subscribe to your host newsletter especially if you have a VPS/dedicated server. They update you with security issues of the server software. Ask your host to update server side programms like mysql, php, cgi etc.

* Free software: If you have installed free scripts like Wordpress, search google for 'wordpress security'. You will get many tips on how to make your WP blog secure.

* Delete unnecessary scripts that you have installed long back and no longer using.

.

Valdor Kiebach · 01-04-2009, 07:43 PM

if you use cpanel hosting go to 'Index Manager'
click on 'public_html'
select 'no indexing'
click save.

This will prevent the folder contents being listed if there is no index.html / php file.

do this in conjunction with

Quote:

Upload index.html/index.php (blank files) in images folder , or other script folders to avoid web accessible of all files in those folders.

to do the above open a text editor and paste in the following

Code:

<?
?>
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=http://www.google.com">

and save the file as index.php
Put this file in any directory that doesnt have an index file.
you can change the url to anything you want.

Scott Carpenter · 01-04-2009, 08:58 PM

I would recommend always using index.html for your blank file, and removing the <? and ?> tags. That way, you're handling servers that don't process PHP. If you know that your host handles PHP, Valdor's example will work great

radhika · 01-05-2009, 12:33 PM

Quote:

Originally Posted by Valdor Kiebach

if you use cpanel hosting go to 'Index Manager'
click on 'public_html'
select 'no indexing'
click save.

I have been using cpanel like 6 years? I didn't know this. Thanks.

Another way is using .htaccess to restric php files.

HTML Code:

<Files *.php>
Order Allow,Deny
Deny From All
</Files>

Gives access denied error from server.

.

01-04-2009, 05:42 PM	#1
radhika Senior Warrior Member War Room Member Join Date: Aug 2003 Location: Jamaica. Posts: 2,405 Blog Entries: 3 Thanks: 71 Thanked 135 Times in 109 Posts	Simple Tips to keep Your scripts less vulnerable. Today one of my client asked me to check one of his guestbook script, why it was redirecting to a p*n site. When I checked, some hackers manipulated his folder under this Guestbook script to upload some html files with redirect code. Here are few simple things to protect your scripts: Always upgrade to new versions of software whatever it is. Because many bugs or security issues will be answered in new versions of software. * Secure the adminpanels with secure passwords. (I have seen many people using regular names/words/simple 5 character passwords) * Avoid 777 permission in script folders. (This is not always possible on all software. If scripts are running under your user ID, you may not need 777 permissions) * Upload index.html/index.php (blank files) in images folder , or other script folders to avoid web accessible of all files in those folders. * Disable attachments or uploads if you are hosting forums or guestbooks. Because these features need 777 permission for folders. * Form handling: If you have forms on your site, make sure the form input data is processed by the scripts (like with Regexp) before entering into your database. * Subscribe to your host newsletter especially if you have a VPS/dedicated server. They update you with security issues of the server software. Ask your host to update server side programms like mysql, php, cgi etc. * Free software: If you have installed free scripts like Wordpress, search google for 'wordpress security'. You will get many tips on how to make your WP blog secure. * Delete unnecessary scripts that you have installed long back and no longer using. .
	* Follow up Autoresponder PRO - FREE Shopping cart, FREE Digital download protection and FREE Membership area protection!! * TRACKtheCLICK - CLICK & LINK Tracking, CAMPAIGN Tracking, ROI Tracking Script!

01-04-2009, 08:58 PM	#3
Scott Carpenter PHP Juggernaut War Room Member Join Date: Oct 2007 Location: Utah, USA Posts: 244 Thanks: 67 Thanked 4 Times in 4 Posts Contact Info	Re: Simple Tips to keep Your scripts less vulnerable. I would recommend always using index.html for your blank file, and removing the <? and ?> tags. That way, you're handling servers that don't process PHP. If you know that your host handles PHP, Valdor's example will work great