Translate
Sub Menu
Links Menu
Online Users

In total there are 70 users online :: 1 registered, 0 hidden and 69 guests

Most users ever online was 372 on Thu May 09, 2019 3:50 am

Registered users: Bing [Bot] based on users active over the past 60 minutes

Last Online
In order to view the online list you have to be registered and logged in.



We are a free and open
community, all are welcome.

Click here to Register

IntegraMod's Security

Any feedback, suggestion and comments relating to the IntegraMOD project can be posted here. NO bug reports should be posted in this forum

Moderator: Integra Moderator

IntegraMod's Security

PostAuthor: adbasque » Tue Aug 29, 2006 10:56 pm

Hello everybody

I am here today, to ask you if you could suggest which package do you think, i should download and install?

I had the previous packages IntegraMOD140, for almost a year, i worked very hard on that website, and yesterday i found out that the site was hacked, and the DB was destroyed, everything was wiped out.

Now is Integramod vulnerable? never had this before.
the classic method they used to hack into my website, SQL injection

let me give you some examples if i may

for instance instead of using something like this (In Java)

Connection con = (acquire Connection)
Statement stmt = con.createStatement();
ResultSet rset = stmt.executeQuery("SELECT * FROM users WHERE name = '" + userName + "';");


it would be wiser to use something like this. (java)

Connection con = (acquire Connection)
PreparedStatement pstmt = con.prepareStatement("SELECT * FROM users WHERE name = ?");
pstmt.setString(1, userName);
ResultSet rset = pstmt.executeQuery();

(in php)

$query = $sql->prepare("select * from users where name = ?");
$query->execute($user_name);


because by using the ""+ that can give the hacker the name of a table, i.e user.table etc.. and the hacker could extract lot more information and finally he can or they can access and inject the DB, and create something

like (remember these are just examples)

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '%';

they can use almost any caractere to exctract data.

Just a thought, so please which of the packages would you suggest i should install, one that you guys think is safe enough?

Thank you all for the good work (nobody and nothing is a 100% safe)
Last edited by adbasque on Wed Dec 31, 1969 5:00 pm, edited 1 time in total.

adbasque
Newbie
Newbie
 
Posts: 23
Joined: Thu May 18, 2006 9:01 am

PostAuthor: Michaelo » Wed Aug 30, 2006 9:08 am

We use
Code: Select all
 $sql = 'SELECT *         FROM ' . USER_TABLE .  


The USER_TABLE (defined elsewhere) starts off with the table prefix and I know we currently use phpbb_ but it is at least possible for individuals to alter the prefix so no one could possibly know it...

This can avoid injection as you need to know the table name to do anything...
Last edited by Michaelo on Wed Dec 31, 1969 5:00 pm, edited 1 time in total.
Kiss Portal Engine phpbbireland (status: Released)
User avatar
Michaelo
Administrator
Administrator
 
Posts: 1646
Joined: Sat Mar 11, 2006 6:14 pm
Location: Dublin, Ireland

PostAuthor: BMD » Mon Sep 04, 2006 4:03 pm

"Michaelo";p="14583" wrote:We use

The USER_TABLE (defined elsewhere) starts off with the table prefix and I know we currently use phpbb_ but it is at least possible for individuals to alter the prefix so no one could possibly know it...

This can avoid injection as you need to know the table name to do anything...


I would ALWAYS recomment straying from obvious prefix in the install... don't use phpBB_, IM_, Forum_, etc.

Make it something unrelated to forums in general.

I still recomend IM140 withe phpBB 2.0.21 and security 1.0.3
go with a fresh clean install, with the new security patches.

I had my intire site bacled up including my data base. I did the fresh install, re-directed my forum to point at the old database... reinstalled a few custom mods I wrote and was back in business in 48 hours....

I also swapped out the text copyright in the overall footers for image links, to cut the search the raiders had used.

one thing to rememember.... nothing is safe, or impossible.....
if someone wants to crack software bad enuff they will eventually find a way.
Last edited by BMD on Wed Dec 31, 1969 5:00 pm, edited 1 time in total.

BMD
Members
Members
 
Posts: 84
Joined: Thu Aug 24, 2006 5:12 am


Return to IntegraMOD Feedback

Who is online

Registered users: Bing [Bot]

cron