Security Thread, Get/Post your tips here!
- Thread starter litewarez
- Start date
- Status
Not save passwords + keyscrambler
if ur freak about security and paranoid encrypt ur os with truecrypt
get vpn if you can
if your coding your own website make sure u parse proper all user input/output so theres no chance of sql injection, post injection xss etc...
have separate mails for different stuff, different passwords on everything
if ur freak about security and paranoid encrypt ur os with truecrypt
get vpn if you can
if your coding your own website make sure u parse proper all user input/output so theres no chance of sql injection, post injection xss etc...
have separate mails for different stuff, different passwords on everything
Not sure if this was stated before but for vBulletin webmasters:
- Change the location of your admin and mod directories. Make it something like yoursite.com/area51/adminx / modx, etc..
- Remove ALL admin login links from your site. This includes the admin and mod links in the footer, edit user profile in the members profile section, remove the forum options section in the topic display area, but leave the rest of the options as they only redirect to the basic login page.
- Never share your mod or admin link with anyone who asks. Give it to a staff member and establish a type of code he can say when he needs it again. This way if he was ever hacked and you ask him a question and he cannot answer, you will know its not him.
This is definitely a handy little trick.
Also password protect the admin directory.
EDIT: Seen it in the original post. I just explained it a little bit more. xD
- Change the location of your admin and mod directories. Make it something like yoursite.com/area51/adminx / modx, etc..
- Remove ALL admin login links from your site. This includes the admin and mod links in the footer, edit user profile in the members profile section, remove the forum options section in the topic display area, but leave the rest of the options as they only redirect to the basic login page.
- Never share your mod or admin link with anyone who asks. Give it to a staff member and establish a type of code he can say when he needs it again. This way if he was ever hacked and you ask him a question and he cannot answer, you will know its not him.
This is definitely a handy little trick.
Also password protect the admin directory.
EDIT: Seen it in the original post. I just explained it a little bit more. xD
barcodenation
Active Member
Great post, here's something I would add:
- On vBulletin, rename and move your config.php file
- While you should move your admin panel, also set up a fake one that is just a login screen, and get it to report any login attempts to you.
- If you're new to a vps then install CSF Firewall, it's not the best, but by far the easiest to use and learn. Also, follow the guides it has on it
- Don't delete the Install directory! Delete all the important files in it, except maybe a few useless text files, and an index.html so that they can't see the files. It get's the hackers hopes up
- If you're on a vps, don't use the root account, make a new account with root privileges named something more genuine
- Once again, for a vps, disable /cpanel and preferably move the cPanel port
- Disable any file extensions you don't use, this could help deter scripts, and you can do this through .htaccess
Hope this helps some people
- On vBulletin, rename and move your config.php file
Code:
http://www.vbulletin.org/forum/showthread.php?t=198856- If you're new to a vps then install CSF Firewall, it's not the best, but by far the easiest to use and learn. Also, follow the guides it has on it
- Don't delete the Install directory! Delete all the important files in it, except maybe a few useless text files, and an index.html so that they can't see the files. It get's the hackers hopes up
- If you're on a vps, don't use the root account, make a new account with root privileges named something more genuine
- Once again, for a vps, disable /cpanel and preferably move the cPanel port
- Disable any file extensions you don't use, this could help deter scripts, and you can do this through .htaccess
Hope this helps some people
XSS Filtering is not easy to get perfect but you can prevent alot of attacks by attempting to convert the source value (search,comment) into its entities.
Usually when i build a system i will sanitize all input as stranded !
For instance
If a user posts in your search box something like "<div />" the value of $search about will be "<div />".
so if you use $search in your template / html file its pretty safe.
Also take note of Strip Tags and Filter Var in PHP
Usually when i build a system i will sanitize all input as stranded !
For instance
PHP:
function sanitize($input)
{
if(is_array($input))
{
$temp = array();
foreach($input as $k => $v)
{
$temp[$k] = sanitize($v);
}
return $temp;
}
return htmlentities($input,ENT_QOUTES);
}
$_GET = sanitize($_GET);
$_POST = sanitize($_POST);
$search = $_GET['search'];If a user posts in your search box something like "<div />" the value of $search about will be "<div />".
so if you use $search in your template / html file its pretty safe.
Also take note of Strip Tags and Filter Var in PHP
NewEraCracker
Active Member
And what about null bytes?
and btw I null scripts my own when I can. If I can't or don't have time, then I use DGT or FS nulls.
Code:
http://php.net/manual/en/security.filesystem.nullbytes.phpand btw I null scripts my own when I can. If I can't or don't have time, then I use DGT or FS nulls.
dermechove
Active Member
I just wanted to talk about the PL1 fix for vbulletin 3.8.6
you have to save this code in a file and upload it to your server(login as admin maybe required since I was logged in as amin when I tested it :p)
and then just navigate to it using your browser
that was the PL1 fix.
@NewEraCracker
for null byte vuln you can use addslashes
you have to save this code in a file and upload it to your server(login as admin maybe required since I was logged in as amin when I tested it :p)
PHP:
<?php
require_once('global.php');
$db->query_write("DELETE from " . TABLE_PREFIX . "phrase WHERE varname = 'database_ingo'");
echo "successfully patched";
?>that was the PL1 fix.
@NewEraCracker
for null byte vuln you can use addslashes
NewEraCracker
Active Member
Thanks for the info 
- Status