Internet Hacking 101, with PHP

June 1, 2011

The point is, a web site (blog?) with an option or requirement to login before commenting (or blogging) and no captcha, may be easy to get into as an admin. Make sure your web site is secure.

Micah Lee, in 2600, The Hacker Quarterly tells how to “write code that automatically loads web
pages, submits forms, and [can create an admin user-id in WordPress … for example], while looking like it’s
human. These techniques can be used to exploit cross-site scripting (XSS) vulnerabilities, download copies of web-based databases, cheat in web games, and quite a bit more … using PHP and Javascript. I’m primarily going to use wordpress as an example website that I’ll be attacking, but that’s only because I’m a fan of wordpress. This stuff will work against any website, as long as you can find an XSS hole.”

see www.noisebridge.net/pipermail/noisebridge-discuss/2010-May/014197.html
for the complete article.

weaknesses, failures:
he assumes that the admin user name is “admin”.
Several years ago wp enabled setting the admin ID to anything, not just admin. If you set your admin ID to something else, his attempt fails.
He uses cross-site scripting (XSS) which is so old, wordpress and all other internet code packages (joomla, all e-commerce pkgs. etc.) are written to prevent it.
PHP itself has done a lot to close security holes. php 5.x is a lot more secure than php 4.x was.

Last, but not least, he assumes we know the admin password. We don’t.

 

For Additional Security

create an .htaccess file in wp-admin and put this in it with
your ip address (not xxx…) :


Order deny,allow
Deny from all
# your IP address
Allow from xxx.xxx.xxx.xxx

note: any line starting with # is a comment.

If you have 2 ip adresses you want to work from, you can use

Allow from xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy

create an .htaccess file in wp-content and wp-includes and put this in it:


<Files *.php>
Order Deny,Allow
Deny from all
</Files>

clearly, this keeps everyone out of all your programs, incuding all plugins and themes.
only the programs at the root of wp can call them.

 

 

One Response to Internet Hacking 101, with PHP

  1. wayne h. on August 27, 2012 at 5:12 pm

    This is very interesting. I have a need to automate a login to a website with a username and password and then to right mouse-click on a link and save it. How would you accomplish this in php ?


    consider this: write a php program to do what you want and put it inside wp-admin, use .htaccess to deny access to it from any ip address but yours.

We try to post all comments within 1 business day