Need Website Security Critique

All you website security gurus I need a favor. I am fairly new to PHP/MySql and by no means an expert on securing websites. I am building a family website and have reached my first couple of milestones. What I want to do before I go any further is make sure that I do not have any major security holes in my website. I understand that this is a family website and the likelihood of my site getting hacked is remote, but I still don’t want to leave the front door open if you know what I mean.

Please take a look at my site located at http://beckerfamily1.com/testing and see if you can gain access using common hacking techniques. If you find a security hole please contact me ASAP at webmaster@beckerfamily1.com with the details. I will be very grateful. Thank you in advance for your assistance.

PS- For those that wish to do me harm this is a clean testing server on a secluded network you will not gain anything useful if you hack into it should you find a security hole.

As far as I could tell was pretty secure.

Able to use any email to register, but then couldn't activate or login because it was some bs email.

I already had this message from trying random GET requests and feared being banned.

The URL has been modified! Your IP Address: 74.97.81.93 has been recorded.

Thanks for the reply. I activated your account so you could test more if you like.

new page with guest rights was created

http://beckerfamily1.com/testing/index.php?id=27

Page Error

Sorry this page is no longer avalible. If you feel you have reached this page in error please contact the website administrator at webmaster-at-beckerfamily1.com

Once again thanks for the help. I need to clarify the error message you received. The reason you got that message is because the pages you created had not been approved for display. I will modify the message before proceeding with the build.

I'm also happy to see that the code you entered into the hack page did not execute. I spent a lot of time trying to find a way to keep that from happening. 

I moved your topic to the beta testing area, could you add a proof of ownership on your server as required in the sticky? http://www.phpfreaks.com/forums/index.php?topic=232470.0

As requested I have placed at text file in the root directory of my domain. http://beckerfamily1.com/phpfreaks.txt

Could someone take a look at the security particularly URL security in the forum section of my site. I stopped using encryption when passing variables in the URL mainly to simplify the script and because encrypting and checking was getting tedious. In the forum section I started using preg match function to look for what is expected. This made the script much cleaner and less tedious but I am afraid that I may have sacrificed some security.

Full Path Disclosure: (http://www.acunetix.com/vulnerabilities/Full-path-disclosure.htm)

http://beckerfamily1.com/testing/forum/topics.php?f[]

Warning: preg_match() expects parameter 2 to be string, array given in J:\www\www.beckerfamily1.com\testing\functions\functions.php on line 169

Thank you! This is very helpful. Can you recommend a method other than preg match or encrypting the URL that is secure. I thought of using sessions to pass everything but I think that might cause problems when it comes to setting and unsetting session variables.

I think I have come up with an alternative to preg match. I have changed the function to use ctype_digit(). I did a search on the internet for known issues with ctype_digit() and didn't find anything. I tested it on my website any it seems to be working.

To anyone starting out like me I want to share this presentation. I stumbled on it while searching the net for web design security. I learned a lot from this presentation.  http://darianpatrick.com/presentations/penn_uiconf_08/slides.html

To anyone starting out like me I want to share this presentation. I stumbled on it while searching the net for web development security. I learned a lot from this presentation.  http://darianpatrick.com/presentations/penn_uiconf_08/slides.html

This is also a huge resource. https://www.owasp.org/index.php/Main_Page

Still working on this same site. Have a quick question.

I'm trying to use preg_replace to strip out a section of code but I am have problems getting it to work right.

Code Example:

$str = '<p class="code">some string here</p>';

PHP I'm using:

$pattern = array();

$pattern[0] = '!<p class="code">!';

$pattern[1] = '!</p>!';

preg_replace($pattern,"", $str);

This strips out the code just as I want with the exception of the space between the p and class.

Returns:

some string here //notice the single space at the beginning.

I'm trying to get:

some string here //no space at the beginning.

I have been beating my head against the wall trying to find a solution. The reason I'm trying to strip it out in a chunk instead of breaking the preg_replace into pieces is because I don't want to change anything that may be in the string between the tags. Any ideas?

$str = preg_replace('/\s\s+/', ' ', $str);//trims space
$str = str_replace(array('  ','   ','    '), ' ', $str);//converts 2,3 and 4 spaces to one

Using var_dump() I tried my code on a clean page with no css and so on and the beginning space is missing so I am picking up that space from somewhere else. Thanks for the help

beckerdt. I posted a huge security flaw on your website last night. Did you read it / understand it?

teynon thanks for looking at my site. I see the two post you made. It looks like you entered some JavaScript that executed when the page loaded causing the site to behave oddly. I also appears that you were able to delete pages from the site without privileges. I'll admit you have me scratching my head. I really have no idea how you did that. 

The only way I can think of to keep that from happening is to strip out script tags with preg_replace or something like that.

where you stationed at? I'm at Ft bliss.

I have 2 weeks left at Ft. Bragg, NC before I ETS!

The javascript code I posted was just an example. If I wanted to, I could have had it include an external js file that would steal your cookie information and enable me to hijack your browsing session and possibly your username / password.

As for the deleting pages. I can edit and delete any page I want. Sorry for deleting the main page.. Heh... Your update form / delete form / input form is not being validated.

Put this on your local computer and you can modify the ID and do whatever you want to your data.

<html>
<head>
</head>
<body>
<form action="http://www.beckerfamily1.com/testing/includes/edit_page_processor.php" method="post">

<!--This is the ID of the page submitted-->

      	<input name="id" type="text" value="1" />

    <!--This is the ID of the user editing the page-->

    <!--<input name="user_id" type="hidden" value="" /> -->

    <input name="approved" type="text" value="yes" />     

    <br />

    <!--IF ADMIN SHOW PAGE OWNER-->

        <!--TITLE-->

    <h2 class="heading">Title:</h2>

    <input class="form_box_title" name="title" type="text" value="" size="30" maxlength="30" />

    <br /><br />

    <!--PAGE VISIBLE-->

    <div class="none"><!--This is to correct weird shit happening in IE-->

    <h2 class="heading">Page Visible:</h2> 

    <h2 class="heading">

    Yes: 

    <input name="visible" type="radio" value="yes"  />  

    No: 

    <input name="visible" type="radio" value="no"  /></h2>

    <br /></div><!--This is to correct weird shit happening in IE-->

    <!--ACCESS LEVEL-->

    <h2 class="heading">Access Level:<br /><span class="yellow">Guest</span> = Public<br /><span class="yellow">User</span> = Only registered users and admins can view.<br /><span class="yellow">Admin</span> = Only admins can view.</h2>

    <select name="access">

  <option value="" selected="selected"></option>      <option value="admin" >Admin</option>

      <option value="user" >User</option>

      <option value='guest"' >Guest</option>

    </select>     

    <br /><br />

    <!--MOVE PAGE POSITION-->

    <h2 class="heading">Move Page Position:<br />

    <!--INSTRUCTIONS-->

    <span class="yellow">Enter the number position that you want the page to be displayed in the navigation.</span></h2>

    <input class="form_box_number" name="position" type="text" size="4" maxlength="4" value="">

    <br /><br />

    <!--SUMMARY-->

    <h2 class="heading">Summary:</h2> 

    <textarea  name="summary" cols="68" rows="5"></textarea>      

    <br /><br />

    <!--CONTENT-->

    <h2 class="heading">Content:</h2> 

    <textarea  name="content" cols="68" rows="20"></textarea>

    <!--THE BUTTONS-->

     <div class="edit_btn">

     <br />

     <input class="button" name="edit_submit" type="submit" value="Save Page" />   

     <input class="button" name="delete_page" type="submit" onclick="return confirm('Are you sure you want to delete this page?');" value="Delete Page" />   

     <a href="index.php">Cancel</a>

     </div>      

</form>
</body>
</html>

thanks for the help looks like I'm going to go back to the drawing board with this.

good luck with your ets.

You don't need to go back to the drawing board, you just need to verify user credentials when they are posting a form submission. You also need to disallow html in your input title.

ok I think I have fixed the security flaw teynon pointed out by using strip_tags() on the title and removed the user_id from the form and placed it into the session for use after form submission.

Just tried it. I can still modify your pages. You need to verify when that form is submitted that the current user has rights to modify the page id.

@teynon - I bet you can't do it now! 

Thanks for the help.

True, however I now can not edit pages I do have authorization to either.