Jump to content
  • Advertisement
Sign in to follow this  
lack o comments

[web] How to run a secure website?

This topic is 4340 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I was recently thrust into the position of site administration by a friend and now that things are up and running I'm growing paranoid. The site already has a forum with a few dozen members, one of which is a well known "1337 teh haxor11!!!11". At this time I am trying to lock down security. I've already looked into a few common topics about PHP scripts and SQL queries. I've read about confirming data from users and query strings, checking against known values, and stripping illegal symbols from such information. Now I want to know more about what needs to be done to the site directory itself, as well as any further coding techniques used in server scripts. 1. All pages are generated on "index.php" using a query string to find the correct content. When a page is loaded, the query string is checked against a table of known page files (through the use of a switch statement currently) and if found, that file is included into the script. Is there anything inherently insecure about this? 2. I have placed a default html page in every directory of the site in an attempt to make sure no one gains directory access. Is that the correct way of doing this? It seems to me that this trick will only work against web browsers. 3. What file attribute settings do I need for my directories? I really do not have a clue what I am doing. Through my ftp software I can set attributes for 'Owners', 'Groups', and 'Public' for each directory. I'm guessing that 'Owners' is when accessed by the server itself and 'Public' is when accessed remotely. 'Groups'?, I have no idea. Perhaps a cutomizable group of users? At this time I have all folders containing PHP code set to allow access only from 'Owners' and all folders containing media allow read-only by 'Public'. Everything seems to work alright, but I still do not know entirely what I'm am doing. All I am trying to do is make sure users do not simply access files from any given directory, download the content and pluck it apart for things like databases, passwords, further directory information, private admin information, etc...

Share this post


Link to post
Share on other sites
Advertisement
1. Nothing i can see. So long as the string is used *only* for comparison with *reference strings*, its ok. (ie. not being used to show which page should be displayed, ect. ie. index.php?test.html is bad index.php?test is good).

2. Yep, thats good. (just as long as you have a blank index.htm and index.html in every directory. Maybe capture a 403 forbidden message for them, eh?)

3. The owner is the user who created that directory. (you, if you made them) So if i have rw access to \Test and i make \Test\Ect then i have the owner rights to \test\ect

Public is usually the anonymous user. So if you just, for example type ftp://something.com, your browser will automatically log you on as the anonymous user (or give you a diolog asking you for a username and password if its disallowed).

And a group is just a normal group of users. For example, "Administrators", "Moderators", "Gd.net+", "Backup user", ect. You just make up a group, give it a set of rights (ie. backup user has read only rights to everything, administrators have full controll of everything, ect.), and you then add user accounts to those groups.

Ie. admin is an administrator, nice coder is a forum user, backupme is a backup user, ect.

If you don't give a group rights to access a given directory, it defults to deny, so they can't open it or read anything in it.

Hope this helps. (ps, are you using filezilla?)

Share this post


Link to post
Share on other sites
Just a little something else before I get back to work here: while I expect you are probably doing it, if you have an authentication system and 'member's only' stuff, you want to build security into pages members can access etc (hence, if dodgy hacker browses directory tree somehow and clicks on member only stuff...he/she gets redirected to a standard illegal access portal etc...)

Either way, it all depends on the site design as to how best to prevent 'h4x', just use your head and think about the easy exploits -- because those will be the ones that happen, if any happen at all -- more hardcore people, sometimes -- but the person being stupid pretending to be a hacker can be just as painful if you're not careful.

~Shiny.

Share this post


Link to post
Share on other sites
Quote:

ps, are you using filezilla?

That obvious huh ;) Yes, I prefer it over most web hosts' ftp pages.

One little issue bothering me: What exactly does 'execute' refer to? I assumed it reffered to either CGI or server scripts. However, it seems that the site's artwork will not be displayed when this is disabled. I would have thought that image resources would fall under the 'read' category. But apparently, 'read' makes no difference. Is 'execute' a context sensitive term?

Share this post


Link to post
Share on other sites
In Unix, when applied to a directory, "x" actually means "able to descend into". Turning it off disables all access, even with r and w on. (r is required to scan the directory, w to create new files, delete files etc).

Your problems sound significant.

Have you tried all of this out on your development server?

You should DEFINITELY not be editing anything directly on your production server without thoroughly testing it on your dev server first (which should run as close to the same software as you can manage).

Otherwise, a single error could cause a serious fault - and what if that fault were to mess up the database?

You MUST have a dev server. If you don't, don't modify the application, and refuse the position offered to you.

Mark

Share this post


Link to post
Share on other sites
Don't worry =) Yes I have a test server setup (however, it is Windows with IIS, the host is not). That is what my posts the last few days have been dealing with. This isn't a very large project. At best there are two databases, one is for news/events the other is used by our forum software (phpBB). I am mostly just using this as a learning experience. Anyway...

When using Filezilla to ftp files I am able to set folder and file access permissions. There are three categories: Owner,Group, and Public. Each category has three settings that may be turned on/off. Read, Write, and Execute. All I want to know is why image files are not loaded by the browser when 'Execute' is disabled. I assumed it would be 'Read' that would affect such a thing.

Share this post


Link to post
Share on other sites
No, the "X" bit is NOT required on *FILES* in order for images to be displayed etc.

I know this because almost none of my images have it set and they ALL work. This is not how Unix permissions work. "x" is only required (on normal files) to execute binaries or shell scripts.

HOWEVER, as I noted above, the "x" has a different meaning on *DIRECTORIES*.

Mark

Share this post


Link to post
Share on other sites
Ah ok. After these last two posts I went and searched for documents about UNIX access specs. Now everything makes sense. [grin]

Thanks go out for all the help.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!