php - How to prevent <meta http-equiv="refresh"> attacks? -
this question has reply here:
what's best method sanitizing user input php? 13 answersi think hackers (or script kiddies) attacked website using leaks of website's codebase. posts in database changed contain html:
<meta http-equiv="refresh" content="0;url=http://example.com"/> but can't rewrite scheme now. strategies prevent situation happening in future?
i'm thinking of migrating admin script subdomain allows access domains. or using mod_security secfilterscanpost , scanning post request containing http-equiv etc. or allowing post requests server or of them?
thank you.
the first step may investigating code injected, may help identify root clause -
if web site contents database , injected tag retrieved part of database content, site has sql injection flaw or other vulnerabilities allow attackers alter content there.
if tag in every php files, means attacker has access file system. either has access ftp or telnet or other admin consoles, or web site has vulnerabilities allow attackers modify/create files on web site.
it may possible server have vulnerabilities allow such access attackers.
after identified root cause, prepare accordingly =)
here generic advises help preventing same happening again:
review web sites , server vulnerabilities, either through code review, pen test or automatic scans , prepare them accordingly.
install update, hotfix, security patches promptly. maintain updated, updated, updated, updated...
assign proper folder permissions (read-write, read-only, no access) on file systems , grant necessary rights users (min-privilege principle).
for example, may consider making web server user readable web content folder except upload folders. configuration files don't require writable web server user. writable administrator only. careful not allow content of such files accessible via web server (i.e. via http:// url of web server). putting them outside web content root direct nice idea putting upload folders outside web content root directory nice idea mine owner of files too, because owners can freely alter permission of file.be cautious when using 3rd-party components (e.g. wordpress/joomla plugins). utilize if trust publisher. download main site. remember maintain them up-to-dated too. disable , remove them if necessary
restrict access administrative consoles , services ftp, telnet, database administration consoles (e.g. phpmyadmin) , etc. assign passwords them. best don't allow except authorized access (e.g. using ip restrictions set in firewall or configurations, or hide behind vpn)
actually should avoid clear text protocols when passwords (especially administrator's) transmitted. there encrypted alternatives them, e.g. telnet -> ssh, ftp -> sftp/ftp, http/https. database port should avoided accessible internet. there rare screnario need this. configure hear on loop-back interface in case... php apache security
No comments:
Post a Comment