EllisLab text mark
Advanced Search
1 of 2
1
   
my codeigniter site hacked
Posted: 19 November 2010 01:41 PM
Joined: 2010-03-14
47 posts

Someone broke into my site and deleted all database entries and added abusive words. I received all forms data using $this->input->post(). How can i make my other sites safe? How did he broke into my site? Can someone check this site www.asif.byethost16.com and let me know what security loophole is there?

 
Posted: 19 November 2010 02:56 PM   [ # 1 ]   [ Rating: 0 ]
Avatar
Joined: 2010-01-28
236 posts

ouch.. that hursts to read a post like this..

First of all you need to make your post/get inputs XSS clean.
you can do it by /application/config/config.php

change the rule:

$config['global_xss_filtering'FALSE

to:

$config['global_xss_filtering'TRUE

And alway’s check what to expect that you want from your inputs.
For example, if you expecting a number (int) then make a check on it.
Things like that.

What do you see in your logs?
check them.

I hope you have a backup to restore the lost data?

 
Posted: 19 November 2010 03:03 PM   [ # 2 ]   [ Rating: 0 ]
Joined: 2010-03-14
47 posts

Thanks for you reply. Can you tell me how can I check my logs? I have enabled xss security already for my other site. Thank God this was a test version of my site.

 
Posted: 19 November 2010 03:07 PM   [ # 3 ]   [ Rating: 0 ]
Avatar
Joined: 2010-01-28
236 posts

you have the root rights on your server?
Look / look for the apache.log or httpd.log

Maybe it’s in your control panel or something similar?

Some code of your application here would be nice to give you some tips.

 
Posted: 19 November 2010 03:21 PM   [ # 4 ]   [ Rating: 0 ]
Avatar
Joined: 2007-02-06
743 posts

Bart v B - you are next!

This is sql injection and has nothing to do with xss. Escape all sql input. Use $this->db->escape(), query bindings, or active record.

 Signature 

“I am the terror that flaps in the night”

 
Posted: 19 November 2010 03:35 PM   [ # 5 ]   [ Rating: 0 ]
Avatar
Joined: 2010-01-28
236 posts

Rick no i am not next wink

I am using Query Bindings and active records depends on what mood i am.
That’s why i asked the topic starter to share some code, so that we can help him.

 
Posted: 19 November 2010 03:57 PM   [ # 6 ]   [ Rating: 0 ]
Avatar
Joined: 2007-02-06
743 posts

Good stuff Bart. You can see how I’d jump to that conclusion considering you are suggesting xss filtering to prevent sql injection attacks.

 Signature 

“I am the terror that flaps in the night”

 
Posted: 19 November 2010 04:18 PM   [ # 7 ]   [ Rating: 0 ]
Joined: 2010-03-14
47 posts
<?php
class discipline extends Controller
{
    
private $fields = array(
                                  
'id'=>      'discipline_id',
                                  
'Name: '=>      'discipline_name',
                                  
'Duration: '=>    'discipline_duration',
                                  
'Credit Hours: '=>    'discipline_credit_hours'
                            
);
    private 
$tbl_name="discipline";
    private 
$id_field'discipline_id';
    private 
$name_field'discipline_name';
    
    private 
$saved"Record has been Saved, You can Enter another Record.";
    private 
$updated="Record Updated.";
    private 
$deleted"Record has been deleted, You can delete another Record.";
    private 
$select_option="Please Select an option from Menu on right side.";
    
    private 
$subnavi= array('Add New study program'=>'discipline/create''View All study programs'=>'discipline/retrive');

    
//-----------------------------------------------------------------------------------------
    
function discipline()
    
{
        parent
::Controller();
        
$this->load->database();        
        
$this->load->library('table');
        
$this->load->model('discipline_model');
    
}
         
//-----------------------------------------------------------------------------------------
  
    
function index($option="")
    
{        
        $data
=array();
        
$data['messageInMain']="";
        
$data['title']=$this->tbl_name;
        
$data['main']=$this->select_option;
        
$data['subnavi']=$this->subnavi;
        
$data['tablename']=$this->tbl_name;
        
$data['currentsubmenu']='';
        
$data['pagination']='';            
        
        
redirect('discipline/retrive');
        
$this->load->view('mainpage.php',$data);
    
}
        
    
//-----------------------------------------------------------------------------------------
    
    
function create()
    
{                
        $data
=array();
        
$data['messageInMain']="";
        
$data['title']="Register a new study program";
        
$data['titleofmain']='Register a New Discipline';        
        
$data['subnavi']=$this->subnavi;
        
$data['subnavititle']='Disciplines Options';        
        
$data['tablename']=$this->tbl_name;
        
$data['currentsubmenu']='create';
        
$data['pagination']='';            
        
        if(
$this->input->post('submit'))
        
{
            $data1
=array();
            foreach(
$this->fields as $description=>$field)
                
$data1[$field]=$this->input->post($field);
            
            
$this->discipline_model->insert_data($data1);
            
$data['messageInMain']=$this->saved;
        
}    

        $data[
'list1']=array();
        
$data['list2']=array();    

        
$this->load->view('mainpage.php',$data);    
    
}
    
        
//----------------------------------------------------------------------------------------- 
 
Posted: 19 November 2010 04:25 PM   [ # 8 ]   [ Rating: 0 ]
Joined: 2010-03-14
47 posts

@Rick i thought $this->input->post() was for mysql injection as well.

I tried to inject mysql in my application’s forms but not succeed. Maybe I m not very good in injecting.

So please let me know what is solution to this problem. I am really scared now.

 
Posted: 19 November 2010 04:29 PM   [ # 9 ]   [ Rating: 0 ]
Avatar
Joined: 2010-06-04
63 posts

Be sure to read the documentation on the input class. Be sure to validate your input then pass it through the XSS filter (even if that wasn’t the cause of you getting compromised). I personally shy away from turning on XSS filtering in the config file sitewide because I don’t want the overhead and always do it on every form field anyways. For example: $this->input->post(‘field_name’, TRUE);

You should be doing two things:

1. Use validation rules on all your form input (trusted or not). There you can make sure your getting numbers when you expect numbers, only valid alphanumeric characters if that’s what you want, etc. You can even do the XSS filtering in there.

2. Use active records, as using it’s another line of defense against SQL injections.

 Signature 

~ Boo-Ya.

 
Posted: 19 November 2010 04:37 PM   [ # 10 ]   [ Rating: 0 ]
Avatar
Joined: 2007-02-06
743 posts
mysterious - 19 November 2010 09:25 PM

@Rick i thought $this->input->post() was for mysql injection as well.

No, that would be presumptuous since it would change input that I didn’t necessarily want inserted into a database.

I don’t see your model code, but if your insert uses active record, then it would be safe:

$this->db->insert('mytable'$array); 

If so, your vulnerability is elsewhere.

 Signature 

“I am the terror that flaps in the night”

 
Posted: 19 November 2010 04:58 PM   [ # 11 ]   [ Rating: 0 ]
Avatar
Joined: 2007-02-06
743 posts
mdvaldosta - 19 November 2010 09:29 PM

Be sure to read the documentation on the input class. Be sure to validate your input then pass it through the XSS filter (even if that wasn’t the cause of you getting compromised). I personally shy away from turning on XSS filtering in the config file sitewide because I don’t want the overhead and always do it on every form field anyways. For example: $this->input->post(‘field_name’, TRUE);

You should be doing two things:

1. Use validation rules on all your form input (trusted or not). There you can make sure your getting numbers when you expect numbers, only valid alphanumeric characters if that’s what you want, etc. You can even do the XSS filtering in there.

2. Use active records, as using it’s another line of defense against SQL injections.

Some good advice, but I want to make some things clear. For a secure site:

1. Validation ISN’T necessary.
2. XSS filtering ISN’T necessary.

While:

1. Sql injection escaping IS necessary.
2. Filtering response output with htmlspecialchars($string, ENT_QUOTES) IS necessary.

XSS filtering is only necessary when displaying user input where html is allowed. Note that no XSS filtering library is 100% reliable, so use caution. Validation is a good idea, and useful for keeping input relevent and data types correct.

 Signature 

“I am the terror that flaps in the night”

 
Posted: 20 November 2010 12:34 AM   [ # 12 ]   [ Rating: 0 ]
Joined: 2010-03-14
47 posts

Rick I am using $this->db->insert to insert data into database.

 
Posted: 20 November 2010 02:20 AM   [ # 13 ]   [ Rating: 0 ]
Avatar
Joined: 2009-08-06
23 posts

Would it be prudent to suggest that escaping data be done within form validation natively,as a prepping rule?  Something along the lines of:

$this->form_validation->set_rules('message''Comment''required|xss_clean|escape'); 

Or can this alternatively be achieved here using the native php function?

(i ask because i havn’t explicitly tried escaping as a prepping mechanism during validation.)

 
Posted: 21 November 2010 12:14 AM   [ # 14 ]   [ Rating: 0 ]
Avatar
Joined: 2009-02-19
4325 posts
Circuitbomb - 20 November 2010 07:20 AM

Would it be prudent to suggest that escaping data be done within form validation natively,as a prepping rule?  Something along the lines of:

$this->form_validation->set_rules('message''Comment''required|xss_clean|escape'); 

Or can this alternatively be achieved here using the native php function?

(i ask because i havn’t explicitly tried escaping as a prepping mechanism during validation.)

If you use Active Record, data is automatically escaped when you insert or update.  If you do it manually in the validation and then use active record to store it, it will probably get escaped 2x and mess things up.

 Signature 
 
Posted: 21 November 2010 02:48 AM   [ # 15 ]   [ Rating: 0 ]
Joined: 2007-07-05
656 posts

do you have any other php code on the server apart from your CI code?

do you have any facility to upload files via the website?

a lot of hacks these days find some way to upload a code file on the server that can be used to perform whatever action they want

it is certainly possible the hack was caused by sql injection since the only thing reported to have been changed was the database but it is just as likely that a php file was uploaded to the server giving the hacker control to do as they want

 
1 of 2
1