Hack my homepage?
Software security issues are often obvious to a second pair of eyes. I just posted the PHP scripts for my personal contact homepage as an instructable:
Simple PHP personal contact homepage (web3.0!)
Can you hack it? Preferably a copy on your local machine and not on my actual server... I deleted all my administration files and classes prior to making this post, just in case.
I have two primary concerns:
1. General PHP injection attacks. Proper handling and escaping of form data.
2. The admin interface has a sessions based authentication mechanism. Login is compared to a MD5 hash of the password, then a session is created with an MD5 hash of the user's IP address. Each subsequent page load compares the authenticated session IP with the user's IP address (again, an MD5 of both). The goal is to prevent remote session stealing related flaws by tying the session to an (unknown...) IP address. Obviously if you have access to the local machine this is all moot, but there is little I can do about that. If an intruder were to get around the session authentication, they would be able to upload files just about anywhere on my server using the admin upload interface. This is a bit of a concern...
I think in light of this, I'm going to add an option to limit the web admin interface to one IP address. My IP is fairly static, and if it changes, simply upload a new config file by ftp.
Simple PHP personal contact homepage (web3.0!)
Can you hack it? Preferably a copy on your local machine and not on my actual server... I deleted all my administration files and classes prior to making this post, just in case.
I have two primary concerns:
1. General PHP injection attacks. Proper handling and escaping of form data.
2. The admin interface has a sessions based authentication mechanism. Login is compared to a MD5 hash of the password, then a session is created with an MD5 hash of the user's IP address. Each subsequent page load compares the authenticated session IP with the user's IP address (again, an MD5 of both). The goal is to prevent remote session stealing related flaws by tying the session to an (unknown...) IP address. Obviously if you have access to the local machine this is all moot, but there is little I can do about that. If an intruder were to get around the session authentication, they would be able to upload files just about anywhere on my server using the admin upload interface. This is a bit of a concern...
I think in light of this, I'm going to add an option to limit the web admin interface to one IP address. My IP is fairly static, and if it changes, simply upload a new config file by ftp.
Vancouver Mini Maker Faire 2012
Rebuilding NordicTrack ski machine drive rollers
Looking for New Zealand-based Instructables authors for conference on August 27 in Wellington
Call to makers - Brighton Mini Maker Faire
Milk Crates - not as green as you think
TEDxBaghdad - Iraq - violence, dust storms and open sourced manufacturing
UK Mini Maker Faire - The Derby Silk Mill - New Poster to Share!
