Resource: http://webnet77.com/help/dangers.html
THE PROBLEM
It is true to say that the Internet is not the "safe" place it was 5 or 8 years ago when it was much smaller. Driven by the lust for money and infamy, SPAMMERS and hackers have become the scourge of the Internet. They employ the skills of whoever they can find to help them practice their illegal trade (Make no mistake, spam and server hacking is illegal) - even some of the top programmers help them from time to time. After all, it pays good money!
What this means for you if you have a website is that you dare not use any old script (we are referring to server side scripts) you find on any old site and install it on yours. If you do, you are likely to get yourself into a lot of serious trouble -- not only with your hosting company but also with the law. This is how it works. Badly written scripts can be used for a number of things. Here are four of the most common ones.
A badly written piece of code can be used to:
Hijack your mail server
Why would someone want to do this? The answer lies in the law - spamming is illegal in most countries and get you prison time for doing it these days. If a spammer can use your website to send a couple of million (that is not a typo) SPAM emails, you will get into trouble with the law because it was your website that sent the spam.
Hijack your site or even the whole server
Ever seen all the Messages on a family friendly Message Board replaced with porn images? Or a whole website gone AWOL? That's the kind of thing we mean. Even more sinister is when the perpetrator uses stealth to intercept your email and monitor your outgoing mail - credit card numbers, passwords and other personal information can all be stolen in this fashion.
Hack other servers
Hacking of several servers is normally used by hackers when they want to orchestrate a massive DDOS (Distributed Denial of Service) attack on another [big] server like Yahoo or Hotmail. They normally install what is called a root kit which gives the hacker a "back door" into the server whenever he wants it.
Attack other servers
They refer to this as a DOS (Denial of Service) attack. One or more servers gang up on another server and overload it with data so that it crashes. You may remember from the news that Yahoo and Hotmail were attacked in this way not so long ago. Obviously this is illegal and there is serious prison time if the hackers get caught. Why do they do it? Beats me! Probably because they can.
Attack other end user PC's
Malicious code uploaded not by you but by a hacker (illegally and without your permission) onto your website can easily be used to attack the PC's of the people visiting your site. Other code uploaded to your site that sends out a virus email to thousands of people is yet another one of many ways your website can be used to attack the very people you are trying to encourage to visit your website.
WHERE IT STARTS
A customer once sent us the following Perl code (see THE CODE below) which he got off some free site with the following comment:
"I have got some cgi script from ____. It looks really neat. What do you think?"
Whilst we are pleased the customer had the forethought to check first, we are horrified at what we saw in the code...
THE CODE
Text Version
#!/usr/bin/perl
if ($ENV{'REQUEST_METHOD'} eq 'POST') {
# Get the input
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
# Split the name-value pairs
@pairs = split(/&/, $buffer);
# Load the FORM variables
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
open (MESSAGE,"| /usr/lib/sendmail -t");
# Format email header information
print MESSAGE "To: $FORM{submitaddress}\n";
if ($FORM{email} ne "") {
print MESSAGE "Reply-To: $FORM{email}\n";
}
# Write the actual email message
print MESSAGE "Subject: Feedback from $FORM{name} at $ENV{'REMOTE_HOST'}\n\n";
if ($FORM{email} ne "") {
print MESSAGE "Email: $FORM{email}\n"; }
if ($FORM{reply} eq "yes") {
print MESSAGE "Please reply.\n\n"; }
print MESSAGE "What sayeth thou?\n\n";
print MESSAGE "$FORM{feedback}\n";
# Thank the user and acknowledge
# the feedback
&thank_you;
}
Image Version with pretty colors :)
OBSERVATIONS - WHAT'S WRONG WITH THE CODE
This is exactly the kind of poorly written code unwitting webmasters download and install onto servers and end up either getting the whole server or their mail servers hijacked. It is one example of hundreds (maybe even thousands) of a very poorly written script one gets from hundreds of places on the Internet. In less than 5 minutes we were able to isolate a several major reasons why this particular piece of code should never be used on anyone's website.
*
Firstly, the TO email address is passed to the script from a "hidden" field in an HTML form on the WWW. The script does absolutely no checking of the referring IP or URL which means it can be called from anywhere - any 12 year old with some computer savvy could hijack this script and have your site pumping out thousands of spam emails an hour!
*
The $pair/$value variables are never parsed - so the script can be sent any characters you -- or worse still, the attacker wants!.
*
NO validation of any kind is done on the email address. On some versions of sendmail this could cause a lot of problems if the script was being maliciously called.
*
NO error trapping is done if sendmail does not open or close properly.
*
There is no warn (or die) directive if sendmail does not close properly (because it never gets closed in the first place!) meaning there will be no record in the server log for diagnostic purposes if something does go wrong.
AS A WEBMASTER WHAT SHOULD YOU DO
Even if you are an experienced, seasoned desktop programmer, unless you are an experienced Perl, PHP or Python programmer this probably applies to you too! (Fact is, most programmers are familiar with Desktop, PC and client software. Server software -- especially Internet software -- is an entirely different animal).
*
Never download software from hey check out my cool free software type of sites. You will be buying yourself a whole world of trouble in most cases.
*
Never modify scripts if you are not 100% sure. A customer recently modified a script he bought - he changed 4 lines of code. In just one of them he made a mistake. Just one line is all it took to get his mail server hijacked!
*
Never download and install software you cannot find running on other [reputable] sites somewhere else on the Internet.
*
Never use Form mail from Matt's Script archive. On our servers we will suspend any domain that uses Form Mail. See Top ten security attacks in 2008 for more information.
*
DO NOT download software from places like CGI Resources, Hot Scripts etc unless you are sure the author knows what s/he is doing. (We have nothing against these websites. On the contrary, they have many excellent scripts. The problem is anyone who thinks he's a programmer can write code and submit it to them and they make no distinction between secure and badly written software). If you want to find decent software to use on your site go to places like Perl.com or the Comprehensive Perl Archive Network and look there. Use the sites they recommend to get the software you need. (There is still no guarantee the software you download will be secure, but you stand a far better chance there than at the places where any wannabee can publish code.
*
Always be extra careful of using software that invokes any of the following. These are not security risks per se but are often the point of entry to a badly written script for the crafty hacker
o
Executes system commands from within the script,
o
sends email,
o
Accesses and manipulates files on a server,
o
receives information from the internet e.g. name, email address etc.
o
Deletes files or directories,
o
accesses and manipulates an SQL database,
o
There are probably many more but these are the ones we have found to be most problematic.
*
Always check with your someone more knowledgeable than yourself before installing software on your site.
*
Always check with other webmasters webmasters -- if you can -- that yourself if a script is safe to use.
*
Always search for more information on the background of the author/company of the particular script you want to use. Look for sites that do software and security reviews and see if you can dig up anything there. The search engine is your friend. Use it.
*
If you are not an experienced programmer find someone who is to help you find secure PHP/CGI programs for your site.
NOTE: Delphi, VB, any flavor of C for Desktop PC's doesn't count, experienced means experienced with web servers.
*
The Search engine is your friend - Always do a search on the software you intend to install/purchase. Look for review sites that have commented especially on the security aspects of the software and stay away from it if there any any negative reports.
Monday, July 20, 2009
Subscribe to:
Post Comments (Atom)
RSS Feed (xml)
No comments:
Post a Comment