Why not write all hack attempts to protector???

Lieutenant Joined: Dec 30, 2003 Posts: 283

Protector is a nice program. It already includes IP tables, etc. to bar intruders.

I also see a lot of code to stop exploits (sql injection, post/get injections, etc.).

Why don't we *encourage* the authors of secruity code mods to at least check for the protector tables existence, and then write the offending ip, and a note to those tables. If the tables don't exist, then the function would always email the admin.

WE NEED TO MOVE TOWARDS A STANDARD SECURITY API (IMHO).

I don't think "die" message, or putting post/get thru intval and htmlspecialcharacters is enough. We need to trap the offender and stop them right there and then, before they try the next weapon in their arsenal.

A simple function api would do. Then everyone writing security mods would simply call that function in their "die" code (no thinking needed).

Anyone?

steve

Posted: Sat Mar 27, 2004 8:50 pm

Steven..

I agree..

Raven has been talking about something like this also..

Lieutenant Joined: Dec 30, 2003 Posts: 283

Thanks for your support Tank,

I have had some early discussions with Raven regarding this, and I will see what he is doing in this area (his work is always good:D ).

In the meantime, as a though starter, this is what I am thinking. Please add ideas::

Code:

Function protector_alert($comment, $type, $arg, $severity_level)

input parameters:
$comment: security codes comments e.g. "hack happened xyz..."
$type: 0=url 1=Get 2=Post 3=Union ..
$arg: url if $type=0,1,2 $sql statement if $type=3
$severity: 0-10 ban=10, warnings are anything less than 10, they accumulate and if total is 10, ip is banned.

The code will write the ip number, the comments, type, arg, etc. to protector tables. If protector table does not exist, then emails the info to admin.

Protector table may have to be modified slightly to account for the parameters. We are also introducing a warning type, that does not ban automatically ... e.g. if a user types in a legit. sql union statement (e.g. in sql forums).

Any other ideas Idea

steve

Posted: Mon Mar 29, 2004 8:33 am

I agree with some of the points, stopping the attacker from further attempts is a good idea but i believe this process can be simplified, on the other hand the comment "I don't think "die" message, or putting post/get thru intval and htmlspecialcharacters is enough." may be true to some extent but i for one am more inclined in making the code more secure without the need for bells & whistles, if you can't attack you will eventually get tired and move forward to another target or get a life and start doing positive and constructive things with whatever "talent" you may have. I believe we can eventually reach this point, steps are being taken in that direction so time will tell.

Lieutenant Joined: Dec 30, 2003 Posts: 283

Chat,
You write a great deal of security patches. My point is that everytime you do an "intval" patch, simply call the described routine. Easy to do, and a no brainer. Therefore every security attemp is stopped and the offending IP's are managed thru Protector admin interface (nice).

So for example, right now we do:

Code:

$topic_id = intval($_GET['t']);

instead, do this:

Code:

if (intval($_GET['t']) != $_GET['t']) {
//hack detected
protector_alert(....);
else {
//normal process
...

So I am asking for a standard way of trapping hack attempts. Every intval "die" trap without trapping the assoicated ip is a lost opportunity.

steve

Posted: Mon Mar 29, 2004 9:04 am

Like i said i agree with your point, but we all have our own style or methods and if Protector already traps these ip's i see no reason for me to do a clone of it. Trust me on one thing, there's no such thing as a no brainer where the work done by many of us is concerned, i'm sure the folks that created and work on Protector had a lot of thinking to do when they came up with the code, same applies to any patch i do, placing a variable check at random is easy and a no brainer, knowing where to place it and which method to use requires some thought.

Lieutenant Joined: Dec 30, 2003 Posts: 283

sorry, chat, I edited my post after you posted to make it more clear Smile

What I am asking for is when a security patch is issued, that the trapped hacks are ALWAYS written to a standard function. It is a coding discipline.

By no brainer, I mean to always include the security function is a cut and paste and does not require extra effort by the person coding the security patch.