For Visual PHP™
Problem: The most usual and the most common security error of web applications. XSS occurs at the moment when an application sends user data to a web browser without having verified or encrypted such content first. This will allow hackers to run malicious scripts in the browser and run away with user relations, deform the web pages, insert hostile content or conduct phishing or malware attacks. Attacks are usually carried out through JavaScript that enables hackers to manipulate any property of a page. In the worst case scenario, a hacker may steal information and pass himself off as an authorized user on the web pages of a bank.
An example taken from life: PayPal has recently become the target of the attack during which the attackers redirected visitors to this organization’s Web site to a page with the warning that their accounts are endangered. Victims were redirected to a phishing server and asked to enter their login data for the PayPal account, the SSN number (it is used to identify persons in the USA) and detailed data on credit cards. Of course, Pay-Pal has already corrected this error.
Visual PHP™ protection: The integrated Firewall will not allow sending any HTML code by means of a form or a direct URL. Thanks to this, it is impossible to impair a page by inserting images, links (a typical example is discussion spam) or even source codes (e.g. JavaScript that would be run on the side of the browser). All such attempts are logged (the date and time, the attacker’s IP address, the referrer, and the data being sent).
Problem: If data is sent from a user to interpreters (a component that interprets commands entered in the form of text) as a part of a command or question, hackers try to mislead them to execute uncontrollably their commands. These errors allow attackers to create, read, update and delete any data available in the application. In the worst case, these security errors allow an attacker to damage totally the application and the carrier systems, even those hidden deep behind the firewall.
An example taken from life: In 2006, Russian hackers broke into the government Web site of Rhode Island with the intent to steal data on credit cards. They state themselves that they stolen 53 thousand credit card numbers by means of an SQL injection attack (inserting commands into data for an SQL) while the hosting service provider stated at that time that the number was 4,113 only.
Visual PHP™ protection: The system is programmed so that it does not allow foisting other instructions into a resulting SQL question. All the data is escaped (quotation marks and other characters allowing attacking are treated correctly) before drawing up a resulting SQL question. Data being sent also passes through the firewall that detects immediately typical attempts to inject the SQL, blocks further generation of the page and records such attempt in the log (the date and time, the attacker’s IP address, the referrer, and the data being sent).
Problem: Hackers can run a code remotely, install rootkits remotely or damage totally a system. Any type of a web application is vulnerable if it accepts the names of files or files from users. This security error is the most common one in the case of PHP that is a scripting language widely used for web development.
An example taken from life: In 2002, a very young programmer found out that the Guess.com Web site is vulnerable to attacks that would allow stealing the records of more than 200 thousand customers from the Guess database, including names, credit card numbers and their dates of expiry. The company promised to update the security in the year that followed when it was investigated by Federal Trade Commission.
Visual PHP™ protection: All files that are loaded onto a server must not contain any extension executable by an interpreter on the server (the .php, .phtml, php3, php4, php5, php6, and .pl extensions are excluded). Moreover, any file that is loaded onto a server passes through the integrated antivirus that is able to detect typical hacker’s scripts allowing them to control the server.
Problem: An attacker changes direct links to objects to gain unauthorized access to other objects. This occurs if URL addresses or form parameters contain links to objects, such as files, directories and database records or keys. Bank web servers usually use the customer account number as a primary code and thus they can reveal account numbers at the web interface. Links to database keys are often posted. Any attacker can use these parameters to attack by simple guessing or searching for another valid key. They often have the ordinary sequential form.
An example taken from life: In 2000, the Web site of an Australian Tax Office was hacked by a user who changed the tax identification number contained in an URL address and gained access to data on 17 thousand companies this way. The hacker informed those companies about a security error by e-mail.
Visual PHP™ protection: For unique identifiers, the system does not use sequential numbers (for example, a sequence of 1, 2, 3, 4, 5, 6, 7, etc., which are typically 32-bit numbers), but globally unique 256-bit UUID identifiers (for example: ebe79a36-fa5c-102c-ab95-00e0814daf34). Every generation of this UUID is unique and the subsequent identifier cannot be estimated.
Problem: It is simple and withering – this attack takes over the control of a victim’s browser during logging in to a Web site and sends malicious requests to the web application. Web sites are extremely vulnerable partly because they try to verify requests on the basis of the cookie files of a given session or by means of the Remember Me function. Banks belong among potential targets. Ninety-nine percent of Internet applications do not resist foisted requests between Web sites. Did the actual misuse come about when someone lost money? Banks appear not to find this at all. All appears to them to be a legitimate transaction of a user logged in.
An example taken from life: In the late 2005, the hacker known as Samy gained more than one million “friends” on the MySpace.com Web site by means of a worm that added automatically the “Samy is my hero” message on thousands of MySpace web pages. The attack itself was not too malicious, but it was made so that it presented the power of the combination of scripting and request foisting between Web sites. Another example that occurred more than one year ago showed the vulnerability of Google in that foreign Web sites were able to change the language settings of a Google user.
Visual PHP™ protection: The system uses a special token that is generated when logging in. It is not possible to make operations in administration without a valid token.
Recommendation: For the maximum possible security, we further recommend to use the Mozilla FireFox browser and its Prism extension that allows access to administration using a separate thread. Thanks to this, cookies are not shared with another browser’s thread.
Problem: Error messages that are generated and displayed to users by applications can also be used by hackers when they invade someone’s privacy. These messages leak unintentionally information on the program configuration as well as on internal processing. Web applications often reveal data on their internal state through detailed or debug error messages. Such data can be used not infrequently to start or automate stronger attacks.
An example taken from life: An information leak often occurs on processing an error. It is also usually observed after security errors have occurred when confidential data is left fully for show. The debacle of the company ChoicePoint early in 2005 falls roughly into this category. Records of 163 thousand customers leaked after criminals passing themselves off as legitimate ChoicePoint’s customers had found details on individuals mentioned in this organization’s personal information database. ChoicePoint then restricted the sale of products containing confidential data.
Visual PHP™ protection: Debugging information, warnings and errors are only displayed at developers’ IP addresses. Therefore, an attacker cannot determine further details on the database structure and file system organization on the basis of such reports.
Problem: If any application fails when protecting sessions and credentials, user and administrator accounts may be stolen. Pay attention to any invasion of privacy or the function limitations of the control of authorization and responsibility. Errors in the main verification mechanism are not rare, but imperfections occur more often in the form of weak auxiliary verification functions, such as logging in, logging out, password administration, the time limit, the Remember Me function, secret questions, and account updating.
An example taken from life: In 2002, Microsoft had to remove the security error in the Hotmail service that allowed authors of a malicious JavaScript code to steal user passwords. This error was detected by a seller of network products and allowed e-mail messages containing Trojan codes to change a Hotmail user interface and urged the users to enter several times their password that was without their knowing sent to the hackers.
Visual PHP™ protection: Sensitive information, such as passwords, is stored exclusively as a hash (one-way coding only; therefore, passwords cannot be gained by decoding). Moreover, the system allows storing other sensitive information by means of encrypting.
Problem: Many web developers do not encrypt confidential data in storage facilities, even though cryptography is important part of most web applications. However, even if encrypting is used, it is often designed insufficiently and uses unsuitable ciphers. Such errors can cause that confidential data will be revealed and allow violations.
An example taken from life: A recent leak of TJX’s data revealed 45.7 million credit and debit card numbers. The Canadian government’s investigation criticizes the company TJX for not having upgraded its cryptographic system before it became the target of the electronic bugging that started in June 2005.
Visual PHP™ protection: Sensitive information can be encoded using a variety of algorithms (3DES, DES, TripleDES, ENIGMA, IDEA, RIJNDAEL_256, RC6, SAFER128, SERPENT_256, THREEWAY, and TWOFISH256).
Problem: Similarly as in item 8 (an unsecured cryptographic storage facility), this is the non-fulfilment of the requirement to encrypt network transmissions because of the protection of confidential information. Attackers can access to unprotected conversations, including credentials data and confidential information transmission. For this reason, e.g. card transaction standards require the encryption of information on credit cards transmitted over the Internet.
An example taken from life: TJX again. The investigators assume that hackers used a telescopic antenna and a notebook to steal data transmitted wirelessly among portable price checking devices, cash registers and computers of shops, as it is written by Wall Street Journal. The wireless network for 17.4 billion dollars belonging to the retail chain was less secured than networks of most households. For example, TJX used WEP encryption instead of stronger WPA encryption.
Visual PHP™ protection: The system supports fully data transmission using SSL encryption. Thanks to this, data are protected also in weakly secured networks.
Problem: For some web pages, an access restriction to only a small group of privileged users, such as administrators, is expected. However, such pages often have no actual protection and hackers can determine the address by means of intelligent guessing. Let’s say that a URL address links to ID “123456”. A hacker can say to himself, “and what will I find under ID 123457?” Attacks aimed at this security error are called forced browsing and include guessing links and brute force techniques to find unprotected pages.
An example taken from life: A security gap on the Web site of Macworld Conference & Expo last year allowed users to gain Platinum passes that actually cost nearly 1,700 dollars and special access to speech of Steve Jobs, all of this free of charge. The error was the code that verified privileges on a client computer but not on the server. That allowed people to gain passes by means of JavaScript in the browser instead of on the server.
Visual PHP™ protection: The system executes authentication each time when accessing a page that is to be displayed to logged-in users only. Secret URL addresses without authentication are not used in this system.
Problem: In the case that session IDs are transmitted though a URL, an identifier may be revealed by clicking on a link leading to the attacker’s pages. A script on the attacker’s side will gain the session from the Referrer header HTTP. Another error can be direct sending a URL containing a session to someone else (e.g. by e-mail or over other social networks – Skype, ICQ, …) The recipient thus gains by clicking on such link direct access to the interface that is to be accessible to the original user only.
Visual PHP™ protection: The system saves a session to cookies to prevent revealing the session when resending the URL address, e.g. by e-mail or over another social network, or by clicking on an external link and finding the referrer value. Moreover, gaining a session from cookies is prevented thanks to protection against XSS, when any JavaScript allowing finding values among cookies and sending them to the attacker cannot be inserted into pages.
Problem: E-mail addresses are posted in unprotected form on most Web sites. Robots browsing those pages are thus easily offered e-mail addresses to which spam is sent. Once an e-mail address is in spammers’ databases, the amount of spam sent to such e-mail address increases continuously.
Visual PHP™ protection: All e-mail addresses posted on pages are in the encoded form. So they cannot be gained easily. Thanks to implementation by means of JavaScript, functionality is maintained at the same time in the form of opening an e-mail client by clicking on the link of such e-mail.
Problem: Various robots browse pages and search for forms on them. They find out the names of form fields in these forms and then send periodically information to such forms (discussion forums, Write to Us forms, etc. spamming is typical). If such forms are not protected by rewriting characters from an image, periodic sending unwanted information may occur.
Visual PHP™ protection: The system adds a hidden field into forms that is filled in by a robot but not by a real visitor. In the event that any value from this field has been sent, further page processing is blocked and an entry is made in the firewall log.
Visual PHP™ Protection against External Attacks (69kb)
Some properties published in this article can only be functional with the latest core version. If you have any older core version, we recommend you to update to the latest version.
| List dostupných komponent a všech jejich metod v administraci | 2/9/2012 |
| Section: Nápady na vylepšení | |
| List dostupných komponent a všech jejich metod v administraci | 2/9/2012 |
| Section: Nápady na vylepšení | |
| Generování RSS | 1/30/2012 |
| Section: Programování | |
| Ternární operátor | 1/25/2012 |
| Section: Programování | |
| Fotogalerie | 1/23/2012 |
| Section: Tvorba prezentací | |
| Posledný install.php (asi v.11) nefunguje | 1/19/2012 |
| Section: Instalace | |
| Weather Component Update
november 18, 2011 |
|
Server weather.com decided to stop providing weather information for free and passed to the paid version (about $ 60 per month). For this reason, we were forced to modify the Weather component to pulling weather information from another data source, namely from the server www.worldweatheronline.com . This site also provides information about weather all around the world, but the amount of information is smaller than the original source. For proper functionality of the Weather component please update core to version 1.7.9.638. |
| Added new tutorials
october 4, 2011 |
|
He added new instructions Using another HTML editor |
