Security management from PHP Forum Vulnerabilities

The Blue Magic forum is a forum written in PHP and is widely used in China. Due to some code defects in its user registration module, malicious attackers can escalate normal users to administrators. Let's take a look at an intrusion example.

Intrusion examples
Now, if a malicious user knows the vulnerability.
This is the feature code for finding victims. After a closer look, we will find that most websites using this forum code should have "Powered by BMForum Plus !" Such a unique sign. Using this feature code as a keyword, you can search for it on Baidu, Google, and other websites. Countless targets are at our fingertips.
Tip: the more accurate the feature code is, the easier it is to find the victim's forum.
If you select a forum with a vulnerability, we will not describe the cause of the vulnerability in detail. The main drawback is that the filtering is lax, by forging "|", the program judges it as an administrator when reading the user level. Click "register" to go to the registration page. when entering the email address, input test@test.com | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |, after passing the authentication, the newly registered user becomes the administrator. This step is so simple, and the Administrator's permissions are huge, the dangers can be imagined.
Go to "Management Center" and you will see the management page. Here, malicious users can do many things, such as uploading files to construct a WebShell, and uploading file forms can be directly built by users. Imagine how ugly it would be if the administrator knew that his website could be tortured by others.
In fact, look at the Forum vulnerabilities that run rampant on the internet, whether it is ASP, JSP or PHP, similar problems may exist. So how can we take effective measures?

Preventive Measures
1. Pay close attention to official patches
Many developers who use ASP, PHP, and other languages have a bad habit. After using other people's code, they think everything is fine. In fact, this is a big hidden danger, because the code is written by others, and only others know the security of the Code. Maybe, when we suddenly receive an emergency message from developers on our own forum one day, we may feel betrayed in addition to being surprised. Therefore, you can analyze code security from the following two perspectives.
Take the blue magic forum in this article as an example, you can log on to its official site http://www.bmforum.com, find Patch related columns, such as http://www.bmforum.com/bmb/forums.php? Forumid = 4. Check the latest patch on the forum. This is also an action for yourself and your customers. Generally, the higher the popularity of Forum code, the larger the chance of Forum attacks. As we all know, the patches of the online forum are even comparable to those of Microsoft. If you are using a dynamic network forum, you must keep an eye on its latest security trends. You can use the dynamic network forum, security magazine, security website, and so on, so that you can know the problem in the fastest time, prevent and resolve vulnerabilities in a timely manner.
In addition to official patches, if you know more about the issues, you can directly fix them. The following line of code uses a regular expression to determine if javascript is contained and split it. This effectively eliminates cross-site attacks. After some code is modified, it is shown as follows:
If ($ allow [pic]) {
$ Message = preg_replace ("/[img] (. + ?) [/Img]/eis "," cvpic (1) ", $ message );
$ Message = preg_replace (/javascript/I, java script, $ message );
} Else {
2. read and understand the code
Nowadays, many forums are very intelligent in their installation, and many users are too reluctant to see how the code implements its functions. Simply click "Next" or directly upload the code to the server. This is actually a bad habit. When you know it, you also need to know it. By carefully reading and understanding the code, you can really find the problem.
For example, in Web programs, database security is a serious issue. Many code writers are aware of such problems and carefully remedy what they think is problematic. However, it is common that they either fail to exhaust all suspicious locations, either this remedy is logically incorrect. For a patient and sensitive attacker, the remedy in this sense is essentially different from the remedy without any remedy.
There are three common input variables: Numbers, strings, and collections. For numeric input variables, simply call the judgment function. As you can see in the code, almost all variables that have been checked are correct. For string-type SQL statements, there are single quotation marks before and after they are inserted into the generated SQL statement. If you replace single quotation marks with two single quotes only when the injection condition is damaged, it is not a problem. Similarly, if it is a string set, you can simply use this method. If it is a set of numbers, the situation may be a little troublesome. At least you have to allow numbers, commas, or spaces and other symbols to appear normally in the input. Such filtering rules may look complicated.
A typical example is to remove single quotes for all input variables, or replace single quotes with valid two single quotes. For example:
Id = replace (request. querystring ("id "),"","")
This approach is likely to be wrong. This is because SQL injection is not always caused by single quotes, but is further expanded. What causes the problem is not any separate symbol. Correct use of injection, the important point is to close the previous SQL query statement, which usually requires correct closure of the previous condition, because we may introduce new conditions in the same sentence, remedial measures should be enough to destroy the injection conditions, but considering its complexity, it is better to completely limit the types of characters entered. This requires more attention in the actual code. Therefore, before using the data submitted by the other party, first make an analysis list of all possible characters that the other party may enter, and then review the type of each input branch, this is also a basic precaution rule that every code user should understand.

3. Check website security logs and backdoor files
Generally, intruders always leave some clues. Next, let's look for it. The Blue Magic Forum has a "security log" column, which records some logon information. Even If attackers clear the information, they will keep a similar record: "Clear the security log of the Forum". As a smart administrator, we should be able to see signs of intrusion, rather than suffering in the dark. In addition, according to the analysis, we found that this version of the Forum also records users entering the administrator interface within 24 hours.
Patching does not mean the problem has been solved. Attackers may have uploaded some webpage Trojans or modified some system settings. Therefore, you need to check the modified content. For example, a variable error occurred in the migration vulnerability recently, which resulted in the Upload Vulnerability. Because asp (followed by spaces) is not equal to asp (followed by no spaces), Windows automatically removes spaces when encountering files with spaces, therefore, when an attacker uploads an "asp" (with spaces) file, it will become an asp (without spaces) file. In this case, you must carefully check whether files with extensions such as asp, asa, cdx, cer, and aspx exist in the storage directories of each uploaded file. If the files already exist, it indicates that the Trojan has been uploaded. If you are not sure, You need to delete all ASP files and download the official files again to overwrite them.
This also indirectly tells us that important personal information must be protected when registering materials on the forum. If attackers obtain such information, such as the answer to a specific birthday or password, they can easily change the user's email password. It is an email address that is cracked through the user information obtained from the Forum. by resetting the password, the user's email information is completely controlled by the attacker.
4. Multi-level enhanced WEB server security
In the field of network security, it is very important to use a firewall to prevent attacks on internal networks from the Internet. In addition, WEB servers are the second field that requires high security. Server Security consists of several security areas. To ensure the highest security protection under the conditions allowed, security must be consistent in each region. The following are the key protection areas:
Infrastructure area. The infrastructure area defines the location of the server in the network. This area must be able to prevent hacker technology threats such as data eavesdropping, network ing, and port scanning. In addition, we should be able to track the successful intrusion into an exposed Web server, because the compromised server may be used as a base to attack other important servers, this method is most common in DoS attacks. In addition, you can also set rules through a complex firewall or a simple router. In this way, only the specified server service is allowed to access.
Region. Network Communication generally refers to TCP/IP communication. However, the vulnerable points of some functions or Protocols may be used to initiate attacks or corrupt behaviors. Therefore, the kernel must be configured to block these types of attacks. In view of some characteristics of WEB servers, it is necessary for administrators to take the right medicine to understand some common preventive methods. For example, Linux provides a most effective solution called SYNcookies, which can effectively prevent SYN flood attacks.
Region service. The service area defines the services required. Through the security policy, only the necessary services are configured on the server to complete necessary operations. Otherwise, more attack points will be provided for attackers. For example, services that do not have sufficient authentication capabilities or services that transmit unencrypted sensitive data (such as Telnet, FTP, or credit card sensitive data transmitted through WWW ), should be replaced by more secure services, such as SSH, SSLftp, or HTTPS.
Region. For security, each service must be configured separately. A poorly configured email server may be used to send spam. A poorly configured WEB server can execute all system commands.
Guest Operating System zone. Here, there should be a mechanism for detecting intrusion. If the security method of the application area is properly configured, even if the intruders successfully enter the computer system, they do not have sufficient management permissions to complete the destruction. The installation of programs, especially high-privilege programs, should be limited to the absolute needs of system operations. Of course, you cannot ignore regular backups and do not discard old backup files. However, many users use virtual hosts and do not have the permission to operate on the servers. To back up data, you can back up data through some backup methods provided in the Forum Management Interface.
The Blue Magic Forum also has a question about Web path exposure. For similar issues, you can consider turning off the display_errors option in php. ini on its server. However, this is when there is an independent host or a separate server. You can also refer to the repair methods in other forums. For example, if you fix a similar issue in the phpind Forum, adding a "@" in front of the function will not report an error. This is the initial code:
If (in_array ($ tid_db [$ I], $ delid )){
The modified code is as follows:
If (@ in_array ($ tid_db [$ I], $ delid )){
At the time of this article, the vulnerabilities on the network are still endless, and the subsequent security problems still surround every security manager around us.