Preserved Topic: A tip for security. (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=21010" title="Pages that link to Preserved Topic: A tip for security. (Page 1 of 1)" rel="nofollow" >Preserved Topic: A tip for security. <span class="small">(Page 1 of 1)</span>\$

InI Paranoid (IV) Mad Scientist From: Somewhere over the rainbow Insane since: Mar 2001	posted 10-19-2001 19:31 The poster has demanded we remove all his contributions, less he takes legal action. We have done so. Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future. Don't follow his example - seek real life help first.
mr.maX Maniac (V) Mad Scientist From: Belgrade, Serbia Insane since: Sep 2000	posted 10-20-2001 02:32 I'll add a few more things to the list: - When you have sensitive information in GET variables and you have off site links, complete URL (with QUERY STRING, i.e. all GET variables) will appear as HTTP REFERER on those off site links (when someone clicks on them) and that information can be used to hack your web server. Perfect examples for this scenario are forum systems. In QUERY STRING you'll have session id and since anyone can post messages with links, someone can post link to web site that will monitor HTTP REFERER field and use that information (session id from the QUERY STRING) to attempt to hijack sessions (if they are coded poorly) and gain access to the forum system. - In addition to IP locking, always check HTTP REFERER, so that you can be sure (well, most of the time, at least) that the request cam from pages that are located on your web server. - Besides showing your server info (which is a bad thing, like InI said), you should also turn off all visible error reporting (PHP outputs all errors directly on pages). Malicious person with help from those error messages can "probe" your web server and find possible exploits that can be used to gain access. - Read A Study In Scarlet Exploiting Common Vulnerabilities in PHP Applications article for more information about common security mistakes made in PHP scripts... And the list goes on and on and on...
GRUMBLE Paranoid (IV) Mad Scientist From: Omicron Persei 8 Insane since: Oct 2000	posted 10-20-2001 14:00 "the only secure computer is a turned off computer" - linus thorvalds (if i remember correctly)

Preserved Topic: A tip for security. (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=21010" title="Pages that link to Preserved Topic: A tip for security. (Page 1 of 1)" rel="nofollow" >Preserved Topic: A tip for security. <span class="small">(Page 1 of 1)</span>\$

InI
Paranoid (IV) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted 10-19-2001 19:31

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted 10-20-2001 02:32

I'll add a few more things to the list:

- When you have sensitive information in GET variables and you have off site links, complete URL (with QUERY STRING, i.e. all GET variables) will appear as HTTP REFERER on those off site links (when someone clicks on them) and that information can be used to hack your web server. Perfect examples for this scenario are forum systems. In QUERY STRING you'll have session id and since anyone can post messages with links, someone can post link to web site that will monitor HTTP REFERER field and use that information (session id from the QUERY STRING) to attempt to hijack sessions (if they are coded poorly) and gain access to the forum system.

- In addition to IP locking, always check HTTP REFERER, so that you can be sure (well, most of the time, at least) that the request cam from pages that are located on your web server.

- Besides showing your server info (which is a bad thing, like InI said), you should also turn off all visible error reporting (PHP outputs all errors directly on pages). Malicious person with help from those error messages can "probe" your web server and find possible exploits that can be used to gain access.

- Read A Study In Scarlet Exploiting Common Vulnerabilities in PHP Applications article for more information about common security mistakes made in PHP scripts...

And the list goes on and on and on...

GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted 10-20-2001 14:00

"the only secure computer is a turned off computer"
- linus thorvalds (if i remember correctly)