php, coldfusion and general web development waffle
yeah its pretty simple to fix, i've already fixed the site that was hacked apart from two pages which are a bit different from everything else
looks like they used a tool called Havij https://itsecteam.com/products/havij-adv ... injection/
i can see how they exploited the site to run a query, but i'm not sure how they managed to view the results from the queries
looks like they used a tool called Havij https://itsecteam.com/products/havij-adv ... injection/
i can see how they exploited the site to run a query, but i'm not sure how they managed to view the results from the queries
i got a problem with a site ... again!
this site has a page which is accessible from another site, and only from that other site
up until now i've been checking the https referrer, if the referrer is valid i display the page
the problem is the boss ( who i'm trying to win some work from! ) of this other site has some software or setup thats not sending the https referrer. and looking through the logs, it does happen now and then. googling the problem, there is an option in ie, or settings you can change in other browsers or privacy or security software that prevents the https referrer being sent, and its recommended not to rely on it for anything important.
so now i can't use that to validate the request, how can i?!
i've googled and i can't find anything, but there must be a way ...
this site has a page which is accessible from another site, and only from that other site
up until now i've been checking the https referrer, if the referrer is valid i display the page
the problem is the boss ( who i'm trying to win some work from! ) of this other site has some software or setup thats not sending the https referrer. and looking through the logs, it does happen now and then. googling the problem, there is an option in ie, or settings you can change in other browsers or privacy or security software that prevents the https referrer being sent, and its recommended not to rely on it for anything important.
so now i can't use that to validate the request, how can i?!
i've googled and i can't find anything, but there must be a way ...
no it won't work, i did actually say the other week i had a fix for it, and i'd based that around the idea of checking for the existence of their members cookie - not realising that for security reasons you can't check cookies from one site set by another site!
i've been thinking about this for a while now, and i can't think of a solution. without the https referrer, and not being able to check for the existence of a cookie set by the other site, i just don't know how it can be done - but i'm going to have to come up with some blag as to why i said i had a fix!
i've been thinking about this for a while now, and i can't think of a solution. without the https referrer, and not being able to check for the existence of a cookie set by the other site, i just don't know how it can be done - but i'm going to have to come up with some blag as to why i said i had a fix!
Could you do it inside a protected frame like I do with some pages here? If the page isn't loaded inside the frame the redirect makes any browser go to where it should be.
Put this in the HEAD and it works.
Put this in the HEAD and it works.
Code: Select all
<script>
if(self.location==top.location)self.location="https://couchtripper.com/forum2/viewtopic.php?t=12771";
</script>sorry for the delay, had some trouble with a site this week, and i'm getting ready to move all the sites to a new server
it could possibly work in a way - and it might have to - but i don't think it would be the best or a very secure way of doing it.
at the moment, this other site has a link to say www.mysite.com/for-their-members-page/ and if the https referrer is https://www.theirsite.com/members/ i know its a valid request from their site from within their members area which they have had to sign into
i know the https referrer can be faked, but you know - even nasa can be hacked
i guess to do your solution, instead of them clicking to go to www.mysite.com/for-their-members-page/ they'd click to go to another page on their site like https://www.theirsite.com/members/mysite-frameset/, that if they was logged in would set up a frameset, which would load my page from my site, which would then run the javascript to check it was inside the frameset set by their members area ... its kinda messy and can be broken, but it might be the best solution at the moment!
thinking about it, i might use this as a fall-back - if the https referrer doesn't exist in the existing check, jump automatically back to their site to run the frameset which will only run if their member cookie exists. thanks
the blag i'm going to say for why i said i had a proper solution is that if they give me the work i bid for, and they moved their site over to my server, i can run sql queries from either site on the other sites database to either check that the ip is logged in and valid, or to get the content from the other site while being able to check for their members cookie - all server side so it can't be broken.
it could possibly work in a way - and it might have to - but i don't think it would be the best or a very secure way of doing it.
at the moment, this other site has a link to say www.mysite.com/for-their-members-page/ and if the https referrer is https://www.theirsite.com/members/ i know its a valid request from their site from within their members area which they have had to sign into
i know the https referrer can be faked, but you know - even nasa can be hacked
i guess to do your solution, instead of them clicking to go to www.mysite.com/for-their-members-page/ they'd click to go to another page on their site like https://www.theirsite.com/members/mysite-frameset/, that if they was logged in would set up a frameset, which would load my page from my site, which would then run the javascript to check it was inside the frameset set by their members area ... its kinda messy and can be broken, but it might be the best solution at the moment!
thinking about it, i might use this as a fall-back - if the https referrer doesn't exist in the existing check, jump automatically back to their site to run the frameset which will only run if their member cookie exists. thanks
the blag i'm going to say for why i said i had a proper solution is that if they give me the work i bid for, and they moved their site over to my server, i can run sql queries from either site on the other sites database to either check that the ip is logged in and valid, or to get the content from the other site while being able to check for their members cookie - all server side so it can't be broken.
-
Brown Sauce
- admin
- Posts: 1485
- Joined: Sun Jan 07, 2007 3:40 pm
yeah i can see that, i was kinda pissed off when i wrote that!
i'm in the process of moving everything to a new linux server; i started testing the sites and all the sql was failing. in my local databases, and my code, all table names are called something like tblDocuments, tblPages etc - although up until now case has never mattered - but somewhere along the way from my local machine to the old server to this new server, mysql has made all the table names lower case, so i had to rename every table for every site to match the code.
do you use linux much?
i've got an old desktop machine that i'd like to set up with linux, apache, mysql and coldfusion. i see you can get xampp for linux so i'll just use that, but do you know a decent and easy to set up version of linux?
anyone have any experience of virtualbox? https://www.virtualbox.org/ https://en.wikipedia.org/wiki/VirtualBox
looks like i could install and run linux from my windows desktop
i'm in the process of moving everything to a new linux server; i started testing the sites and all the sql was failing. in my local databases, and my code, all table names are called something like tblDocuments, tblPages etc - although up until now case has never mattered - but somewhere along the way from my local machine to the old server to this new server, mysql has made all the table names lower case, so i had to rename every table for every site to match the code.
do you use linux much?
i've got an old desktop machine that i'd like to set up with linux, apache, mysql and coldfusion. i see you can get xampp for linux so i'll just use that, but do you know a decent and easy to set up version of linux?
anyone have any experience of virtualbox? https://www.virtualbox.org/ https://en.wikipedia.org/wiki/VirtualBox
looks like i could install and run linux from my windows desktop
-
Brown Sauce
- admin
- Posts: 1485
- Joined: Sun Jan 07, 2007 3:40 pm
I use linux every day. I gave up with xammp it was too slow, and really I needed the terminal. Windows is too complicated, and all the useful info revolves around linux. Most of my stuff is drupal and php, so needs linux.
I also have a vps, it is ubuntu and I can easily ssh to it from the virtualbox on windows. It makes life a lot easier.
it's free, and there is so much info about installing the lamp stack for instance that it's so easy to do.
if you need tuts about any of it let me know. i have gigs of the shit.
take a look at squqs.com tell me what you think ..
I also have a vps, it is ubuntu and I can easily ssh to it from the virtualbox on windows. It makes life a lot easier.
it's free, and there is so much info about installing the lamp stack for instance that it's so easy to do.
if you need tuts about any of it let me know. i have gigs of the shit.
take a look at squqs.com tell me what you think ..
thanks sauce, i think i'm going to try ubuntu through the virtual box first. i've never had trouble with xampp being slow, coldfusion has always run fine on it - even on my old computer. i'll see what its like running on linux through virtual box from windows though!
is there some sort of weird difference with sorting folders/files by name on linux?
on one site a few members can upload cd's/dvd's via ftp, and my code goes through the folders/files displaying the info so other members can download
on windows, i just set the sort by folder name, and then by filename
on linux, no matter what i do - the order is totally random!
maybe its a bug with coldfusion on linux, but i googled the problem and noone else seems to have it
is there some sort of weird difference with sorting folders/files by name on linux?
on one site a few members can upload cd's/dvd's via ftp, and my code goes through the folders/files displaying the info so other members can download
on windows, i just set the sort by folder name, and then by filename
on linux, no matter what i do - the order is totally random!
maybe its a bug with coldfusion on linux, but i googled the problem and noone else seems to have it
i was wondering if anyone has any ideas whats going on here ...
these are files/folders uploaded from a dvd to a linux server
on some filenames, what were spaces have been changed to some strange character, but not always - and sometimes a single file can contain a normal space and the strange character instead of the space?
in the ftp they look normal - no weird characters. but when i grab them through my code, they come back like this. if i rename via ftp and delete what looks in the ftp like a space, and replace with a space, they come back fine
these strange characters are messing with my system!
these are files/folders uploaded from a dvd to a linux server
on some filenames, what were spaces have been changed to some strange character, but not always - and sometimes a single file can contain a normal space and the strange character instead of the space?
in the ftp they look normal - no weird characters. but when i grab them through my code, they come back like this. if i rename via ftp and delete what looks in the ftp like a space, and replace with a space, they come back fine
these strange characters are messing with my system!