Achievo Community

ATK Development Questions :: RE: Injection Attack

Author: boy
Posted: Sat Nov 22, 2008 1:10 am (GMT 2)
Topic Replies: 17

Hi cbc,

1. I think you don't really understand the problem.

Say your host employs the following structure:

/home/cbc/www/
/home/someguy/www/
/home/someothercustomer/www/

Now either the someguy account gets hacked or someguy is 'evil', anyway, a script gets uploaded:

/home/someguy/www/findwriteablefiles.php

This script then looks in /home/ and because the administrator forgot to not make /home/ readable for every user, he gets a list with all the accounts on that system (or through some other way), then the script checks out all the subdirectories of every user and looks for (php/html) files it can write to.

Then it writes it's evil code.

Now note that even if you had the code /home/cbc/mycode/ someguy would still have been able to write to it, because atktmp needs to be writable to the httpd user and someguys scripts run as the httpd user.

That's what I suspect happened.

Although narrowing down the attack surface by moving non-browesable code outside the www root is definitely a good thing.

2. Like stevie said... ATK has been around a while, at the start of PHP3 I believe. When everybody just did everything in the webroot.
It's tough to change that now.
Although I believe it can be done, especially for custom ATK applications with what I mentioned in the previous reply.

3. Good luck. Hope you have a good host.

4. Please do.
_________________
The most likely way for the world to be destroyed, most experts agree, is by accident.
That's where we come in; we're computer professionals.
We cause accidents.
- Nathaniel Borenstein

ATK Development Questions :: RE: blocking list atribute already filled - sending mail

Author: ralphy
Posted: Sat Nov 22, 2008 12:01 am (GMT 2)
Topic Replies: 10

Bert,

after reading the value in Debug Statement:

Code:

"Invoking 'editPage' on actionhandler for action edit"
)
@C:\Program Files\Zend\Apache2\htdocs\recette\atk\handlers\class.atkedithandler.inc, line 79
atkActionHandler->invoke
(
"editPage",
array(id=49, commenta=xxxxxxxxxxxx, =, cod_cli=Array, type_contact=MAIL , atkprimkey=commentaire_com.id='49'),
false
)

Type_contact value if filled (MAIL) but only the id field has quotes.
Just after updating, field is Null :

Code:

["type_contact"]=>
string(0) ""

Code:

Debug Statement
[+0.54661s / 0.05343s / 11.34MB] atkoci9db:query(): UPDATE commentaire_com SET commenta='xxxxxxxxxxxx jjjjj',type_contact=NULL WHERE commentaire_com.id='49'
Backtrace

Code:

atkNode->updateDb
(
array(id=49, commenta=xxxxxxxxxxxx jjjjj, =, cod_cli=Array, type_contact=, atkprimkey=commentaire_com.id='49', __executedpreUpdate=1)
)

hope it helps to understand

ATK Development Questions :: RE: Injection Attack

Author: cbc
Subject: Moving atktmp outside website root
Posted: Fri Nov 21, 2008 11:28 pm (GMT 2)
Topic Replies: 17

Hi All!

1. My understanding -- please correct me if I'm wrong -- is that moving files outside the website root would prevent their being accessed via HTTP, but would not prevent their being written to if permissions were not set properly. In the case of the event that started this thread, permissions on atktmp were 775 recursively, owner me, group httpd.

2. Nevertheless, when setting up ATK I was a little surprised that the libraries are in web-accessible locations by default. Can these and atktmp be located outside the root? Haven't tried it. May not help, but it can't hurt. Jorge is right, it seems to me.

3. I am in a dialogue with my host at present, following up on Boy's suggestion. Not getting much help though.

4. If I find anything out from the host, or figure out how these files were written to, I will certainly post it here.

THANKS!

ATK Development Questions :: RE: MYSQL Table relationships and dependence

Author: muaz
Posted: Fri Nov 21, 2008 11:13 pm (GMT 2)
Topic Replies: 6

The descriptor_def() in my city node is:

Code:

function descriptor_def() {
return "[post_code] [name]";
}

[/code]

I commented out the all the setDescriptorTemplate() functions but there is no difference.

Also since we are talking about the descriptor_def() function, I have an attribute

Code:

$this->add ( new atkDateAttribute ( "start_date", AF_OBLIGATORY ) );

and whenever I call it through

Code:

function descriptor_def() {
return "[start_date] - [end_date]";
}

I get an "array" and not the value of the date. Is there any special way to call date attributes?

Thanks

ATK Development Questions :: RE: blocking list atribute already filled - sending mail

Author: BERT
Posted: Fri Nov 21, 2008 10:59 pm (GMT 2)
Topic Replies: 10

Ralph,

I'm not sure at this point. Have you turned on debug and looked (atk_var_dump) at the record values after you read them (in the editPage function ) and also on the preUpdate function? If so is type_contact set in the record variable?

ATK Development Questions :: RE: MYSQL Table relationships and dependence

Author: BERT
Posted: Fri Nov 21, 2008 10:47 pm (GMT 2)
Topic Replies: 6

1st off you don't need to setDescriptorTemplate if the descriptor_def is set as what you want to display. In my example I wanted a more specific value ([Name]) instead of the one I had set in my node.

What is the descriptor_def in your City Node? Is it already 'Name' if not try setting it to that.

ATK Development Questions :: RE: Injection Attack

Author: boy
Posted: Fri Nov 21, 2008 10:20 pm (GMT 2)
Topic Replies: 17

Rik, ATK has some support for that too: Achievo Forum: atk library outside public folder?

I would always welcome people to try that for their applications and see how/if that works.
_________________
The most likely way for the world to be destroyed, most experts agree, is by accident.
That's where we come in; we're computer professionals.
We cause accidents.
- Nathaniel Borenstein

ATK Development Questions :: RE: OneToOne Relations in a Tabbed Pane

Author: snapple42
Subject: One to Many works...
Posted: Fri Nov 21, 2008 9:54 pm (GMT 2)
Topic Replies: 3

I tried a One To Many relation in the pane, and it came up fine....

Also, I've tried putting the OneToOne relations in a regular tab, and that does work.

ATK Development Questions :: RE: Injection Attack

Author: stevie
Posted: Fri Nov 21, 2008 9:47 pm (GMT 2)
Topic Replies: 17

Quote:

But, it is a trend to move all 'non-browsable' files out of the public directory.

...would guess its a paradigm since PHP 3, which unfortunately was not noticed early enough by many famous php projects like ATK, Joomla and others. So it offen needs a hint mentioned above

or such lines like this:

Code:

if(basename ($_SERVER['SCRIPT_NAME']) == basename (__FILE__)) {
die ("no direct access allowed");
}

...or...

Code:

// Check to ensure this file is included in Joomla!
defined('_JEXEC') or die( 'Restricted access' );

_________________
Impresario, Web Developer since 1782, CTO for personal freedom

ATK Development Questions :: RE: Injection Attack

Author: Rik
Posted: Fri Nov 21, 2008 9:32 pm (GMT 2)
Topic Replies: 17

Hi Jorge,

Your solution won't help the problem described by cdc. This most probably happened because of wrongly set permissions. No matter where you would put the atktmp directory, this still would be possible.

But, it is a trend to move all 'non-browsable' files out of the public directory.

Cheers!
_________________
Actiview
Full-service internet agency
http://www.actiview.nl

ATK Development Questions :: RE: Injection Attack

Author: stevie
Posted: Fri Nov 21, 2008 9:15 pm (GMT 2)
Topic Replies: 17

Directory hint not to forget:

Code:

option indexes

<Directory "/srv/www/web9/html/">
<FilesMatch "(.(cnt|inc|tpl|h|sql|ini|conf|class|bin|exe|lng|sh|pl)$)|(.*~$)">
Order deny,allow
deny from all
</FilesMatch>
</Directory>

_________________
Impresario, Web Developer since 1782, CTO for personal freedom

ATK Development Questions :: RE: Injection Attack

Author: jgarifuna
Posted: Fri Nov 21, 2008 8:38 pm (GMT 2)
Topic Replies: 17

I find this very concerning, specially as I'm continuing to rollout more ATK sites with public interaction.

I wonder if those files cached on atktmp could be moved to a none-web location on the server. So as long as the reference to the atktmp folder is noted on the config file, any script that uses it should not have a problem getting to the correct cache.

I see this approach being used by web-apps that allow users to upload secure files from a web form.

To put this within context, assuming the following directory structure:

/home/my_account/public_html/atk_installation/atktmp

move atktmp so it recides on:

/home/my_account/atktmp

Whether this is the host's issue or not, I think we (ATK developers) need to provide reasonable solutions to address it so ATK wont take the bad reputation of being insecure.

If there is anything to learn from history, what can deduced is that at the end of the day, people will point fingers at the technology being used and not the offender. Microsoft and to a certain extent PHP itself continue to suffer from this dilemma.
_________________
Jorge Garifuna
Professional Web Developer
Garinet Global Inc.
http://www.GariDigital.com

ATK Development Questions :: RE: MYSQL Table relationships and dependence

Author: muaz
Posted: Fri Nov 21, 2008 7:41 pm (GMT 2)
Topic Replies: 6

Hello BERT,

Thanks for the reply. Ok, I have implemented the relationships as in the code. the code is in the member node.

Code:

$attr = &$this->getAttribute ( "address_id" );
   $attr->setDescriptorTemplate ( "[address]" ); //set to only show address field. address is the name of the field in the address table
   $address_node = &$attr->getDestination (); //get node of address_id

   $address_attr = &$address_node->getAttribute ( "city_id" );
   $address_attr->setDescriptorTemplate ( "[name]" );
   $city_node = &$address_attr->getDestination (); //get node of city_id

   $city_attr = &$city_node->getAttribute ( "canton_id" );
   $city_attr->setDescriptorTemplate ( "[name]" );
   $canton_node = &$city_attr->getDestination (); //get node of canton_id

   $canton_attr = &$canton_node->getAttribute ( "country_id" );
   $canton_attr->setDescriptorTemplate ( "[name]" );

   $attr->addListColumn ( "city_id" ); // add city_id to DivDept listcolumn
   $address_attr->addListColumn ( "canton_id" ); // add canton_id to DivDept listcolumn
   $city_attr->addListColumn ( "country_id" ); // add country_id to DivDept listcolumn

There are five tables:

Code:

CREATE TABLE Member(
`memberid` int(10) unsigned NOT NULL auto_increment,
`title` VARCHAR(50) NOT NULL,
`firstname` VARCHAR(50) NOT NULL,
`lastname` VARCHAR(50) NOT NULL,
`company_id` int(10) unsigned NULL,
`address_id` int(10) unsigned NULL,
PRIMARY KEY (`memberid`)
)TYPE=InnoDB;

CREATE TABLE Address(
`addressid` int(10) unsigned NOT NULL auto_increment,
`address` VARCHAR(200) NOT NULL,
`city_id` int(10) unsigned NOT NULL,
PRIMARY KEY (`addressid`)
)TYPE=InnoDB;

CREATE TABLE City(
`post_code` int(10) UNSIGNED NOT NULL,
`name` VARCHAR(50) NOT NULL,
`canton_id` int(10) UNSIGNED NOT NULL,
PRIMARY KEY (`post_code`)
) TYPE=InnoDB;

CREATE TABLE Canton(
`cantonid` int(10) unsigned NOT NULL auto_increment,
`name` VARCHAR(50) NOT NULL,
`country_id` int(10) unsigned NOT NULL,
PRIMARY KEY (`cantonid`)
)TYPE=InnoDB;

CREATE TABLE Country(
`countryid` int(10) unsigned NOT NULL auto_increment,
`name` VARCHAR(50) NOT NULL,
PRIMARY KEY (`countryid`)
)TYPE=InnoDB;

This time there is no error. However, when I add a new member and visit the view page, I only see the address. I do not see the city, canton and country values.

Thanks for the help

ATK Development Questions :: RE: Injection Attack

Author: stevie
Subject: Yes, I think so too...
Posted: Fri Nov 21, 2008 6:50 pm (GMT 2)
Topic Replies: 17

Yes, I think so too... that boy is right in this case.

My suggestions are made for more security related to
attempts over the front side over all. I was wondering how mutch happens when I first start with modsec .
For example the rate of blind scannings of IPs for injectable/vulnerable
applications/scripts encreased enormously in the last few years.
Therefore the german ministry of it-security advices to use a WAF
on every non-private site.

c u st.
_________________
Impresario, Web Developer since 1782, CTO for personal freedom

ATK Development Questions :: RE: Injection Attack

Author: cbc
Subject: Thanks for suggestions
Posted: Fri Nov 21, 2008 6:41 pm (GMT 2)
Topic Replies: 17

Boy and Stevie:

THANKS for your thoughts and suggestions. I believe Boy is probably correct since this is not a public application -- it requires login -- and I assume the code could not have been injected through the login form. I suppose the perp could have come in some other way, still via HTTP, or used stolen login credentials, but Occam's Razor says "no" (at this point). I will pursue Boy's suggestions on the hosting side and move to a new home if I don't get answers I like.

Stevie: Thanks for your great suggestions -- I am going to take a look at ModSecurity, Suhosin, and PHPIDS -- perhaps not for this site, but I have other sites where (one of) these might come in handy.

I don't know about anyone else, but from what I see these injection attacks are becoming more and more common -- and it's not just script kiddies rattling the locks either. A few more tools in the kit are MOST WELCOME.

Thanks again!

-C