Hack my homepage? Answered
Software security issues are often obvious to a second pair of eyes. I just posted the PHP scripts for my personal contact homepage as an instructable:
Simple PHP personal contact homepage (web3.0!)
Can you hack it? Preferably a copy on your local machine and not on my actual server... I deleted all my administration files and classes prior to making this post, just in case.
I have two primary concerns:
1. General PHP injection attacks. Proper handling and escaping of form data.
2. The admin interface has a sessions based authentication mechanism. Login is compared to a MD5 hash of the password, then a session is created with an MD5 hash of the user's IP address. Each subsequent page load compares the authenticated session IP with the user's IP address (again, an MD5 of both). The goal is to prevent remote session stealing related flaws by tying the session to an (unknown...) IP address. Obviously if you have access to the local machine this is all moot, but there is little I can do about that. If an intruder were to get around the session authentication, they would be able to upload files just about anywhere on my server using the admin upload interface. This is a bit of a concern...
I think in light of this, I'm going to add an option to limit the web admin interface to one IP address. My IP is fairly static, and if it changes, simply upload a new config file by ftp.