Collaborate Disseminate
I am using Node.js and express-validator to validate user input server-side. The form I am controlling is simple to validate, by ensuring that constraints are being met such as “isInt” and “isFload”, “isBoolean” etc.
I guess… Continue reading Validating user input in authorization header (node.js express-validator)
We are experimenting with MQTT in our project.
We have a secure connection to our mqtt broker, so mqtt over TLS (or mqtts) and we use a proper signed certificate (not self-signed) from a trusted source.
With some of our c… Continue reading MQTT over TLS – ca certificate on client
We are experimenting with MQTT in our project.
We have a secure connection to our mqtt broker, so mqtt over TLS (or mqtts) and we use a proper signed certificate (not self-signed) from a trusted source.
With some of our c… Continue reading MQTT over TLS – ca certificate on client
Several models of Hughes high-performance broadband satellite modems are potentially vulnerable to several issues if not appropriately configured. Continue reading VU#614751: Hughes satellite modems contain multiple vulnerabilities
Google’s Recaptcha has hostname validation “baked-in”. When a user submits a Recpatcha response, the domain from which the response was acquired is validated against the whitelist of domains you provided when you setup the Re… Continue reading Why bother validating the hostname for a Google Recaptcha response?
Google’s Recaptcha has hostname validation “baked-in”. When a user submits a Recpatcha response, the domain from which the response was acquired is validated against the whitelist of domains you provided when you setup the Re… Continue reading Why bother validating the hostname for a Google Recaptcha response?
Google’s Recaptcha has hostname validation “baked-in”. When a user submits a Recpatcha response, the domain from which the response was acquired is validated against the whitelist of domains you provided when you setup the Re… Continue reading Why bother validating the hostname for a Google Recaptcha response?
I’m working on a website – right now it’s in early stages of testing, not yet launched and just has test data – thank goodness. I have some concerns, perhaps someone can help me out.
First of all, a hacker figured out the pa… Continue reading Hacker used Picture Upload to Get PHP code into my site
I’m working on a website — right now it’s in early stages of testing, not yet launched and just has test data – thank goodness.
First of all, a hacker figured out the password to log onto the websites ‘administration’ pages*. I think they used a key logger on a friend’s computer who logged into the site to give me feedback.
Secondly, they used a picture upload box to upload a PHP file. I have put in strict checking so that only .jpg and .png files are accepted — everything else should have been rejected. Surely there is no way to upload a .jpg file and then change the extension once the file is stored?
Thankfully I also generate new file names when a file is sent to me, so I don’t think they were able to locate the file to execute the code.
I just can’t seem to figure out how the website let a PHP file through. What’s wrong with my security? The validation function code is below:
function ValidateChange_Logo(theForm)
{
var regexp;
if (theForm.FileUpload1.value == "")
{
alert("You have not chosen a new logo file, or your file is not supported.");
theForm.FileUpload1.focus();
return false;
}
var extension = theForm.FileUpload1.value.substr(theForm.FileUpload1.value.lastIndexOf('.'));
if ((extension.toLowerCase() != ".jpg") &&
(extension.toLowerCase() != ".png"))
{
alert("You have not chosen a new logo file, or your file is not supported.");
theForm.FileUpload1.focus();
return false;
}
return true;
}
Once the file gets to the server, I use the following code to retain the extension, and generate a new random name. It is a bit messy, but it works well.
// Process and Retain File Extension
$fileExt = $_FILES[logo][name];
$reversed = strrev($fileExt);
$extension0 = substr($reversed, 0, 1);
$extension1 = substr($reversed, 1, 1);
$extension2 = substr($reversed, 2, 1);
$fileExtension = ".".$extension2.$extension1.$extension0;
$newName = rand(1000000, 9999999) . $fileExtension;
I’ve just tested with a name such as logo.php;.jpg and although the picture cannot be opened by the website, it correctly changed the name to 123456.jpg. As for logo.php/.jpg, Windows doesn’t allow such a file name.
* Protected pages on the website that allow simple functions: like uploading a picture that then becomes a new logo for the website. FTP details are completely different to the password used to log onto the protected pages on the website. As are database and cPanel credentials. I’ve ensured that people can’t even view the folder and file structure of the site. There is literally no way I can think of to rename a .jpg, or .png extension to .php on this site if you don’t have FTP details.
Continue reading Hacker used picture upload to get PHP code into my site
There are few kinds of links which validate something. For example when you create an account on a website, that website sends you an activating-link. You have to check your inbox and click on the email to activate your accou… Continue reading Why should I expire validator links after a while?