Spiga

‘ security ’ category archive

Access Dropbox.com behind corporate / company firewall

May 19, 10 by Gabi Solomon

If you find yourself one morning with your dropbox client not connecting to the server, and you trace the problem to the company/ISP ( or country if your in China :-p ) firewall then you can put the kind words for them to the side a little and try the following.
Most of the firewalls block the main IP for dropbox.com 174.36.30.70 but the alternate IP is open :D

So add this to your hosts:
174.36.30.71 www.dropbox.com

Hope it works for you.

How to protect your php applications for free ?

August 25, 08 by Gabi Solomon

Did you developed a very cool application, and maybe thought about selling it ?
If you did you might have thought: How will i protect my code ?
Because the php code is visible and can be distributed really easy, once it has been downloaded once.

Well there are solutions to do this, but most of them are not free, and if your application is not a really expensive one it doesn’t make sense to pay more on the software to protect the code then the actual selling price.

Well you are in luck, because there is a php class called PADL (PHP Application Distribution License System) that generates PHP application license keys.

This class can used to generate license style keys to control the distribution and functionality of PHP applications.

It generates license strings that can bind PHP applications to specific domains, specific servers, can only be executed during limited time period, or to restrictions placed on a home server within the license key.

The binding to server process attempts to use the server network card MAC address. This feature was tested on servers are Mac OS X (Darwin), Linux, Windows XP, although it may also work for FreeBSD, NetBSD, Solaris.

PADL also attempts to use information from $_SERVER variable to encode that server name, server IP, server application path and server application url to the license key. Part of the process also binds the IP Address from the $_SERVER variable if found, but it also attempts to parse the server config file (the same used to get the MAC address) for any more IPs.

The server binding can be disabled if required, and it also possible to block the key being generated for the localhost address (127.0.0.1).

The time limiting of the license uses a start period (and a given start offset to allow for time discrepancies) and an expiry date if required.

If required when validating a key it is also possible to dial home to check the license key on your own PADL License Server, examples are given.

The PHP_OS and PHP_VERSION of the php that the key was generated for is also encrypted into the key.

It is also possible to encrypt additional information into the license key to enable you to place restrictive features in your application to allow the creation of trialware or demoware.

This class is still in development however it is stable. A GUI is to follow.

This class received the Php Classes Innovation Award, and is ranked 98 in the same website, so this is why i highly recommend this class to protect your code.

Hope like this class as well,
Cheers

How to prevent SQL Injection

June 15, 07 by Gabi Solomon

SQL injections are a common vulnerability in web-based applications that use databases.

Many web developers are unaware of how SQL queries can be tampered with, and assume that an SQL query is a trusted command. This means that SQL queries are able to go pass access controls, thereby bypassing standard authentication and authorization checks the web aplication might have.
Plus many of them think : Who will hack my website ? What reason would some have to hack my website ?

Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. This is accomplished by the application taking user input and combining it with static parameters to build a SQL query. The following examples are based on true stories, unfortunately.

Deleting an entire table

As an example of a potential SQL injection, consider a login form asking only for a username, where the backend has code reading:

PLAIN TEXT
PHP:
  1. mysql_query('SELECT * FROM user WHERE username = "' . $_GET['username'] . '");

A malicious hacker could attempt to enter the value ""; DELETE FROM user WHERE 1", which would have the effect of removing all users in the table.

PLAIN TEXT
SQL:
  1. SELECT * FROM user WHERE username = ""; DELETE FROM user WHERE 1 ;

Granted, this won't happen with PHP's mysql extension as it will not execute multiple queries by default; this is just an illustration.

Reseting a password / getting more privileges

Consider this simple pasword changing query :

PLAIN TEXT
PHP:
  1. $query = "UPDATE user SET password="'.$_GET['password'].'" WHERE id="'.$_GET['user_id'].'" ;

A bad intentiond user can use this vulnerable query to get admin privilages :

PLAIN TEXT
PHP:
  1. // user_id == " or username like '%admin%'; --
  2. $query = "UPDATE user SET password='...' WHERE id="" or username like '%admin%'; --";

How to prevent SQL injection

You might think that the atacker must have the mysql database structure in order to do this attacks. You are right but there are numerous way how he could find that out: exposed mysql_error messages, you are using an open_source script, simple try and error since many web-developers use the same table names and field names, espacialy at the user tables.

Here is an example of table guessing injection attack :

PLAIN TEXT
SQL:
  1. SELECT ...  FROM TABLE WHERE id = '$user_id';
  2. SELECT ...  FROM TABLE WHERE id = '' AND 1=(SELECT COUNT(*) FROM tabname); --';

After a few trial and error they can find a table name ;) .

In order to prevent this the first line of defence is to build you're aplication with security in mind. This means to use some precaution methods :

  • Never conect to the database using a super user. Try to limit the user you use to the priviliges he needs and nothing more.
  • Always check if the user input is what you expected. Use the simple php functions ( eg is_numeric() ) or even validating using regular expresions.
  • Transform any fields to the type you would espect :
    PLAIN TEXT
    PHP:
    1. settype($offset, 'integer');
    2. $query = "SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET $offset;"; // please note %d in the format string, using %s would be meaningless
    3. $query = sprintf("SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET %d;",
    4. $offset);

  • Limit User Inputs length.Althoug this is not going to stop all SQL injection but it's going to limit them a little :)
  • Do not print on screem any error mesages from mysql, because this can expose the mysql structure you might have thought the attacker doesn't know.
  • And here is an example of a "Best Practice" SQL query right out of the PHP Manual :
    PLAIN TEXT
    PHP:
    1. // Quote variable to make safe
    2. function quote_smart($value)
    3. {
    4. // Stripslashes
    6. $value = stripslashes($value);
    7. }
    8. // Quote if not integer
    9. if (!is_numeric($value)) {
    10. $value = "'" . mysql_real_escape_string($value) . "'";
    11. }
    12. return $value;
    13. }// Connect
    14. $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
    15. OR die(mysql_error());// Make a safe query
    16. $query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
    17. quote_smart($_POST['username']),
    18. quote_smart($_POST['password']));

Hope this is helpfull and you were able to learn to protect you're web aplication against SQL Injection Attacks