RSS

Kurinchi Blogger Scribbles …

On Open Source Technologies

Archive for the ‘Security’ Category

Jul 09
2009

PHP Image Upload and Security

Last updated: July 9th, 2009

List of steps to take care when using PHP to upload images or documents

i) use is_uploaded() function to check if the file is uploaded before moving the file from temporary location

ii) sanitize the name of the file before moving the file from the temporary location by executing the ‘mv’ system command (use escapeshellargs, escapeshellcmd as needed)

iii) chmod the file setting to 644 if needed

iv) the directory from where the file will be moved and the destination directory should be initialized beforehand in order to prevent users from altering the path where the files could be stored

Tags: , , , , ,
Posted in Apache, PHP, Security, Tips, Tricks, Guides | No Comments »

Jun 18
2009

Cross site scripting Attack – XSS

Last updated: July 27th, 2009

Cross-Site Scripting (XSS) is the method of code injection whereby a malicious user injects code (html, javascript) which would get executed from the site on the users browser. When Google finds this, it will show up a warning message in its search results if the users had searched for a specific term for which your site is indexed. This can harm your user base.

XSS attacks are classified as
- Persistent attacks
- Non-persistent attacks
(more…)

Tags: , , , , ,
Posted in PHP, Security | No Comments »

May 20
2009

PHP Register Globals and Security Vulnerability

Last updated: May 21st, 2009

Register Globals directive is turned OFF from PHP version 4.2.

PHP Global Variables
Environment variables, GET, POST, Server, Cookie variables are knows as Global Variables.

When register_globals directive is turned ON (like what most ISP’s did), you can access/set the global variables like $username, $password instead of $_POST["username"], $_POST["password"].
(more…)

Tags: , , , , ,
Posted in Apache, PHP, Security | 1 Comment »

May 19
2009

PHP: escapeshellcmd, escapeshellarg

Last updated: May 21st, 2009

escapeshellcmd and escapeshellarg are two commands that are used to escape the defect causing characters that are present in the system command or the arguments that get passed to it respectively. Before passing the commands to the system or exec, the strings get escaped using these commands.

Sample program to demonstrate the usage:

<?php

// shell command
$mycmd = "ls -al";
$returncmd = escapeshellcmd($mycmd);
system($returncmd);

// shell arguments
$myshellargs = "al";
system("ls -".escapeshellargs($myshellargs);
?>

Tags: ,
Posted in PHP, Security | No Comments »

May 17
2009

PHP XSS: htmlspecialchars vs. htmlentities

Last updated: May 18th, 2009

Cross site scripting XSS is a term used to refer attacks or loop holes present in the scripting used by websites favoring hackers to exploit this path towards identity theft or phishing.

In PHP, two functions are mainly used to circumvent XSS attacks.
i) htmlspecialchars
ii) htmlentities
(more…)

Tags: , , , , ,
Posted in PHP, Security | 1 Comment »

May 14
2009

PHP Security: Hiding Program Extensions

Last updated: May 21st, 2009

Obfuscating Scripting Language Extension in PHP is one of the technique that is effective to a certain extent in delaying the unscrupulous act of an active hacker. Following are few simple techniques used for hiding the program extensions.

i) Hiding program extension using .htaccess
ii) Hiding program extension using php.ini
iii) Hiding program extension using apache directive configuration
(more…)

Tags: , , , , , ,
Posted in PHP, Security | No Comments »

Apr 14
2009

MD5 CheckSum, SHA1 CheckSum, PGP Verification

Last updated: May 13th, 2009

In order to ensure that the files that are downloaded from a site has been saved in its entirety and to give the added security that no intruders have modified the content of the files, various techniques have been used by source providers like MD5 checksum, SHA1 checksum, PGP verification. To explain how MD5 checksum, SHA1 checksum or PGP verification of the files happen, I will go ahead by explaining the steps by using a copy of openSSL program. (more…)

Tags: , , , , , , ,
Posted in LINUX, Security | No Comments »

Apr 13
2009

Free Cryptography Tools

Last updated: April 13th, 2009

Following are the listing of tools that can be used for various purposes in Linux, Windows environments and those which are available FREE of cost for downloads. This is the first compilation and will continue to grow as time progresses. (more…)

Tags: , , , , , , ,
Posted in Security | No Comments »

Apr 12
2009

Cryptography – Being Secured

Last updated: April 13th, 2009

What is cryptography?
Cryptography is the practice and study of hiding information. In modern times cryptography is considered a branch of both mathematics and computer science and is affiliated closely with information theory, computer security and engineering. – from Wikipedia. (more…)

Tags: , ,
Posted in Security | No Comments »

Older Entries

Copyright ©2008 - 2012. Kurinchilion Inc.

Valid HTML 4.01 Strict  Valid HTML 4.01 Strict