close ad
 
Important WebAssist Announcement
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

Security problem - repeated hacking

Thread began 9/17/2011 11:24 am by Jade but not jaded | Last modified 9/19/2011 9:20 am by Jade but not jaded | 5046 views | 11 replies

gruant2000381341

thanks for those, I will check them out

I am far from a security expert, but one thing I do on my scripts that process form data is this....before it accepts any post data I have something like this

<?php
//Prevent form script hijack by serving only request from this domain
$myReferer = "http://mywebsite.com/";
$referer = ($_SERVER['HTTP_REFERER']);
if ($myReferer != $referer) {
echo "Unauthorized Request";
die;
}
?>

Just change the $myReferer to your url.
It seems to help with cross site scripting by killing the script if the referal does not come from your domain. Is there a way around this....I dunno.
And I have not really looked at WA's cms code to see if it already has something like this in place, it may....not sure.

edit... i just did a find and replace search for 'HTTP_REFERER' and didn't find any instances.
so I opened up the WA_Globals file and added this
$mysite = "http://www.mysite.com/myCMSfolder/admin/contents_insert.php"
(you need to edit that to point at your site files)
then I opened contents_insert, and directly below this line
<?php require_once( "../WA_Globals/WA_Globals.php" ); ?>
I added this
<?php
if (isset($_POST["Insert_x"])){
$referer = ($_SERVER['HTTP_REFERER']);
if ($referer != $mysite) {echo "Unauthorized Request"; die;}
}
?>

I tested it and it seemed to work....I tried to attack it, but it passed my tests
(again..not an expert, lol.. a hacker I am NOT)
you would need to do this again for the contents_update page.
maybe someone will know of a better approach

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...