Tag Archive 'Security Issues'

Where PHP Security Issues Begin

The PHP scripting language can operate as a CGI application or a compatible server-side module. In both instances, PHP is very capable of accessing almost every area of the web hosting server; this includes system files, all interfaces of the network and much more. In order to halt the savage intent of an internet hacker, a web developer must stay aware of any and everything that could possibly go wrong during the program design. Though this is task not to be envied, it is one a quality web host needs to endure in order to offer a reliable service. 

Realizing the weakness of a server’s components goes a long way in providing solid security. This applies to every attractive feature a host offers such as domain names down to the web language.

Many security issues in PHP and many web applications stem from inaccurate input from users whether intentional or by accident. Scripts like PHP give commands to a web page in several ways. If this information is entered incorrectly or with deception in mind, there is a great chance that the script will behave in negative manner and cause damage to the server. 

The worst part about PHP is its open-source nature. This script is used globally, often modified by developers then passed along to another individual. With this many sources handling the script, there is no absolute way to ensure that the variable of PHP contain legitimate data that will not corrupt a system. A web host needs to accept the realization that many important variables cannot be trusted.

The PHP language has been known to carry a number of security deficiencies through many stages of its development. Versions of PHP3 and PHP4 were vulnerable because of frequent attacks in command strings. This typically occurred in a user’s login screen where their information was a prime target for hackers with remote control access to PHP servers running that particular code. 

Uploading your files can also pose a security threat when PHP is involved. This is because the language may have the same file name as the input tag submitted in a web-based form. In this instance, the PHP script creates the file in a temporary directory and then stores data from the upload there. A problem arises when the file is checked for validation. An experienced web hacker can create their own upload form by submitting a totally different file. They can then process the user’s file which on many occasions will contain sensitive data. Your PHP scripts should have the ability to decipher whether or not the file name for the upload checks out as a valid path to the temporary file. 

Early we mentioned that a quality web host should operate on servers with the most updated PHP scripts; this section explains why.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

Apr 10, 2008 : Security Issues No responses yet

The Issue of PHP Security

Tight security needs to be applied in every area of web hosting. Hackers can come at you from many different angles, starting with the scripts used to create your web pages. 

Over the years, PHP has established a strong presence on the internet. Its capability as one of the first server-side scripting languages has been embraced by most web hosting platforms and PHP continues to grow. At the same time this popular language has come under attack of many online hackers. Even though PHP was designed to be a secure script, users must be totally aware of the vulnerability that comes along with it. The sole purpose of this next section is to provide you with factual details of the many security related issues that the PHP language is susceptible to. 

There are a number of things that lead to corruption and the violation of PHP scripts. These issues have the power to ultimately damage the server your website is running on and the operating system as well. Keep in mind that this advice is meant to reduce the risk of security issues that relate to the PHP language. While you may find these methods of resolution helpful, they should not be used as the only means of protecting your content. 

PHP was designed to be web language that makes scripting web pages an easy task. Novice programmers will find an abundance of tutorials that teach the aspects of PHP. With a little research, users have the ability to create web applications in no time. The bad part of this is that many of these tutorials and training articles fail to stress the security measures that need to be applied to PHP. They will give the basics which more often than not lead users to create web pages that are full of database errors and several other security defections. 

Since PHP thrives on a being an open-source, easy to use language, programmers have made things worse by adding features that initiate security problems on many levels. One of the worst additions of all is the “register_globals” feature. This will automatically execute a PHP script from a CGI variable that is passed in POST or GET. This makes it a bit easier for developers to access these values but also grants permission to experienced hackers. A hacker will then have the power to adjust the value for variables in that PHP script. The dynamics of PHP does not call for variables to be initialized in order to be used, a feature that many applications rely on. When the register_globals command comes into play, it makes PHP much easier to control by intruders. 

For the most part, the register_globals command has been disabled in the updated versions of PHP. On the other hand, many of today’s frequently used web applications still depend on it. A few web hosts have enabled the feature by the popular demand of their customers. 

Many efforts have been made to improve the quality of PHP scripts, indicating that security issues do exist. A few of the original PHP developers have taken the liberty of blaming the free-roaming users while refusing to accept the flaws that came along with the script and its evolution.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

Apr 10, 2008 : Security Issues No responses yet

Security Issues in MySQL

Web hosting companies maintaining a MySQL database certainly understand the importance of tight security. Content stored in your database needs to be secure at all time, and kept away from the eyes of hackers. Security problems in MySQL can flaw a web server in numerous ways; here are the two major categories in which they are grouped: File System risks and Network risks. 

File System Risks 

Information on a MySQL database is stored in several files and directories. This system also keeps tracks of log files that detail information concerning queries that users command. Since these files and directories are components of the file system, they must be secured in order to prevent other users on web hosting servers from gaining access to the account. 

Installation of a MySQL database contains applications and scripts that are used to access and control the databases. Users need to have the ability to run these applications but should not be able to edit or delete them as this is a task more suited for an experienced web designer. This means that the programs for MySQL must be configured and protected accordingly as well. 

Network Risks

A MySQL database will provide a user access to other databases by allowing them to conduct activities such as connecting and making requests. Since the database contains information about user accounts, each one should be configured to only grant privileges to that specific account that needs to viewed or modified. A web host should also assign a username and password to the MySQL database to prevent unauthorized users from accessing someone else’s account.

We have compiled a list of defects within a MySQL database that may raise many security issues:

  • All files and directories do not have ownership configured to MySQL
  • Files and directories are not configured to be hidden from users. This gives direct access to third-party intruders
  • The MySQL database isn’t properly configured to run as a user’s main account
  • MySQL is being ran as a system root user. This will grant root privileges to a user and give them much greater access to sensitive files of the server

Most of the security issues that relate to a MySQL database are the result of poor programming. This all more a reason to reside with a reliable web host that has a documented proof of satisfied customers.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

Apr 10, 2008 : Security Issues No responses yet

Security Issues in Free Web Hosting

Websites being run on free servers are a prime target for hackers. The security issues that are now common with this type of hosting platform is one of the main reasons that many individuals choose to stay away. A large number of hackers use these servers as a way to distribute the MMC (Mobile Malicious Code) and infectious forms of spyware that are designed to falter the performance of an operating system and thieve personal information. A free web host unknowingly allows them to commit these internet crimes in affordable fashion while remaining anonymous at the same time. 

Starting from the beginning of 2005, Websense Security Labs has reported well over 2,500 cases of free websites that distributed MMC, Trojans and spyware. More than 500 websites were created on free hosting platforms to spread spyware and malaware in July of 2005 alone. 

Since then, this trend has adapted to other forms of free web hosting. A few of the services used in this game of manipulation include blogs, community forums, photo sharing websites, fan pages, social networks such as Myspace and many more.

It is believed that many of these free websites implement a form of automated software intended for shared hackers. Others are well designed and appear to be legitimate on first glance. They may have a delightful tune playing in the background with a few interesting pages to surf though. At the same time, this site is downloading viruses and spyware to keep an eye on your every movement. 

Most of these fraudulent websites do not have a lengthy life span, usually no longer than a week. While this is good news for the web host they may have tarnished, it also makes them nearly impossible to trace. More than likely the hacker will move onto another free host and start the process all over again.

Many of the security issues that come along with a free hosting platform can not be avoided. These servers are shared which makes it easy for a hacker to find your site and lure you into a trap. Similar to the lack of support, free web hosts cannot afford to implement quality security measures if they want to stay alive. Once again, the best advice for free hosting is to say NO!

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5 out of 5)
Loading ... Loading ...

Apr 10, 2008 : Security Issues No responses yet

Windows Security

One of the biggest deficiencies of Unix web hosting is the threat of a hostile system takeover by hackers. While Windows users typically do not have this issue to worry about, there are other areas of concern that can spoil the experience; one such problem is a DOS (denial of service) attack. This usually occurs as the result of an infinite loop sequence that causes the system to freeze up and eventually crash. Microsoft’s solution to DOS attacks have been included in service pack updates for the Windows operating system. These software upgrades resolve the issue by running the loop for up to 60 seconds in which attempts are made to adjust it. When a loop cannot be resolved, Windows will cancel it out and proceed to function regularly. 

One of Window’s biggest securities weaknesses has been tied closely to the vulnerability in NET BIOS that operate on TCP. Common activities such as file and print services can be accessed by online intruders by combining Net BIOS to TCP. To prevent this intrusive act, users can disable Net BIOS that are visible online. 

In the previous chapter we briefly touched on the experience difference between Windows and Linux. Already known as the world’s most popular operating system, Windows is rapidly evolving in the area of web hosting. This very fact is major reason why security has been such an issue. Since source codes are not openly available like they are with Linux and Unix, Windows is able to frequently update its system to elude severe consequences caused by malicious hackers.

Windows and Remote Control Dependency

It’s been said that the Windows operating system depends too much on the Remote Procedure Call. RPC is what transmit a message over a network and instructs another application. This line of communication has no limits in regard to machine, operating system or time zone.

The extensive capability of RPC is what makes it a security liability for Windows. These controls are designed to allow users to send commands to the computers of others. When errors are found within an RPC application, roaming web hackers may be able to benefit from the flaw and devise a way to control someone else’s computer. Users do not have the ability to disable RPC because the Windows operating system literally relies on them, even when the internet is not connected. 

The use of RPC based platforms are known to be the first victim of the infamous Slammerworm. This unsuspecting infection sabotaged so many systems in such a short amount of time that the entire internet was shook up. 

The Slammerworm began its reign of terror by exposing two weaknesses found in the SQL database. The first one enabled users to run two instances of the database on one machine. To make things simple, there should be no reason to run multiple versions of a major system on one computer. If anything there will be file fragments left all over the place along with other disk space issues. 

Windows’ solution to this problem was to create RPC components to manage requests for data. This connected numerous users all operating on SQL servers and literally placed them as sitting ducks. The Slammerworms eventually stumbled upon numerous computers that were open for an easy attack. This was all the result of a feature enabled by the SQL database.

Network Capability

Aside from memory shortages and gaps in security, Windows makes for a very reliable web hosting platform. There servers run protocols such as AppleTalk, DLC, IPX and NetBEUI IP. It also supports connections like Ethernet, Token Ring and Frame Relay. If more than one network card is installed on the system, the Windows server can then act as a router. 

Windows uses Remote Access Service to accommodate inbound dial-up connections. This gives users the ability to dial up on the network through ISDN or PPP by using a LAN password and user ID. When the user has been granted authority, they then not only have access to the designated server, but the entire network as well. This is an affordable way for users to surf the web without having to purchase expensive modems and other network devices. 

One of the biggest disadvantages of Windows networking is the need to restart the system whenever significant modifications have been made. This is the case when new protocol is added and DNS servers are changed. While this may not be an issue for some users, those running a 24 hour business will certainly think otherwise.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

Apr 10, 2008 : Windows Web Hosting No responses yet

« Prev