PDA

View Full Version : Shared Hosting Security for Dummies

Halo
04-07-2008, 04:41 AM
Hi All,
Apologies in advance if I am asking dumb questions...if anyone can point me to good resources I will read up as necessary...
I am on Shared hosting & have a number of sites (just set up in the last 2 weeks).
I set up webalizer to look at page stats & I see exit pages listed which do not exist on my site. I dug about in file manager and found a php script I did not create (owner is not listed as me either).
I am concerned that I have been lax in my setup & have compromised my data.
What precautions should newbies like me make when setting up a site?
And what can/should I do now to ensure I am safe from hacking?
Mango
04-09-2008, 11:00 AM
Hi Halo,

Yikes!

Glad you asked the question. Here are top three things I can think of. Hopefully others will chime in as well.

The first thing that come to mind is prebuilt scripts such as forums, guest books, blogs, etc. phpBB in particular is a common one. The writers of these products tend to release security updates in relatively short order after an exploit is reported, but that will only help you if you download and install it. Some products, like WordPress, display a message on the admin panel if your installation is out of date. For others, check its website.

If you write your own scripts, never, never, ever trust user input. I once took over a site that included a script that displayed a specific file. The list of files were in a <SELECT> menu...and to my horror, I discovered the script did not check to make sure that the file requested was one of the allowed files. One could quite easily view any file on the server. The other common issue with user input is SQL injection. So if you use MySQL, always make sure to run mysql_real_escape_string on any user input, for example, search queries. (With this function, characters including " and ' are escaped and appear like \" and \'.)

Another thing I'd like to point out is PHP's register_globals. This lovely little feature converts all GET, POST, and COOKIE variables into global variables. So what once was $_GET['foo'] becomes $foo. At first this seems convenient, but it can actually be a security risk. Let's say you have a login script that compares a user name and password against a database. Perhaps administrators have special access to the sever, so the script sets a variable called $is_admin to "yes". If register_globals was enabled, all someone would have to do is visit login.php?is_admin=yes and the script would promptly allow them access to any admin function they pleased. For security, I prefer to turn register_globals off.

Those are the top three issues, at least that I see. Anyone else?

-Mango