Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
[Tips] Writing more secure hacks
Revan
Join Date: Jan 2004
Posts: 1,671

Started doing my first if...else chain in 2004, and released my first major vBulletin modification in August 2004 with the first version of the RPG Integration Hack.

Norway
by Revan Revan is offline 17 Jan 2005

I decided to write this because I am bored, and because I felt like sharing something that may be useful to people writing modifications to vBulletin code.
Now I realise that some of this may be obvious to you, but I am still young enough to remember myself asking questions that is now common sense to me.
Enough banter, onto the good stuff!
  1. Use vBulletin's globalize() when parsing GET/POST data

    This can be useful not only for avoiding SQL Injections, it also saves you trouble by running intval() on things that really HAVE to be of integer, etc.


  2. If you find you cannot use globalize(), use it's functions anyways

    For instance, I have an array consisting of arrays. I have an array of items, which each contains an array of values. All of this needs to be updated in the SQL.
    Trying to use "=> INT" , "=> STR" or anything, results in errors.
    You have to use blank datatype (IE no "=>").
    It is then adviced to, inside the SQL query, run the functions globalize() normally would run.
    The globalize() is located in the file /includes/functions.php (Thanks deathemperor )


  3. When running globalize(), use "=> STR_NOHTML" if HTML is not needed.

    Not too much to comment on this, the only possible security issue this would pose was if this function was run in a /modcp/ file, and the moderator had an urge to run some JavaScript he shouldn't... :ermm:


  4. Always match up GET/POST values against stored values

    For instance, if you have a Shop mod, do not directly update the user's cash based on the cost of the item bought.
    Adding another check to a variable containing the amount of cash an user got will pevent users from being able to go into negative amounts.
    Now you may think "but he *will* go into negative amounts so he *will* have to pay". True as that may be, if they exploited it once, do you think they will go "Ok, I got my item. I must now go pay the cost and never exploit this again"?
    Neeeh...


  5. Do not think POST is safe

    Even if you use POST to prevent the above exploit, it will only fool the most basic of users.
    Not only is it easy to make it accept GET values simply by using something like "script.php?select=name&cash=1000", but Firefox browser even has an extension called "Web Developer", which allows you to convert POST to GET and vice versa.


  6. Never ever directly use variables containing strings in SQL queries.

    addslashes() is your friend. If your completely unable to run anything of the above, at least run this.
    (Thanks KirbyDE )


  7. Never ever assume an integer, especially one that comes from an input, is actually an integer.

    intval() is also your friend.
    (Thanks sabret00the )


  8. Ready to leave vB's safe haven?

    Security Notes. This is a great piece of reading, thoroughly explaining all advice given and doesn't use language assuming we are all developers of the PHP program itself.
    (Thanks Guy G )


(This is possibly incomplete. I cannot think of anything more at the time of writing. Feel free to comment on things to add! )

Last edited by Revan; 19 Jan 2005 at 20:41..
Views: 2586
Reply With Quote
Comments
  #2  
Old 17 Jan 2005, 09:32
Andreas's Avatar
Andreas Andreas is offline
 
Join Date: Jan 2004
Real name: Andreas
6. Never ever directly use variables containing strings in SQL queries. Always use addslashes().
Reply With Quote
  #3  
Old 17 Jan 2005, 10:16
sabret00the's Avatar
sabret00the sabret00the is offline
 
Join Date: Jan 2003
Real name: sabe
7. run integers through
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

before you echo them out into the query
__________________
UNDER CONSTRUCTION: Confessionary Hack

Make me a Hack of The Month author: GRPS: Groups Commune
make my hacks, they'll make you famous

unless it's a security concern, please do not pm/im me for support unless you're willing to pay.
Reply With Quote
  #4  
Old 17 Jan 2005, 13:33
deathemperor's Avatar
deathemperor deathemperor is offline
 
Join Date: Jul 2003
Real name: Lucius Hunk
globalize() is on functions.php I believe, it stores all golbal functions, if a functions was written for newpost then it should be in function_newpost.php or similar,

nice tips Revan.
Reply With Quote
  #5  
Old 17 Jan 2005, 19:31
Guy G Guy G is offline
 
Join Date: Nov 2004
Here is another excellent about security of your scripts(PHP in general):
http://forums.devshed.com/t20525/s.html
Reply With Quote
  #6  
Old 19 Jan 2005, 20:41
Revan's Avatar
Revan Revan is offline
 
Join Date: Jan 2004
Real name: Fillip
Originally Posted by KirbyDE
6. Never ever directly use variables containing strings in SQL queries. Always use addslashes().
Added, thanks

Originally Posted by sabret00the
7. run integers through
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

before you echo them out into the query
Same as above

Originally Posted by deathemperor
globalize() is on functions.php I believe, it stores all golbal functions, if a functions was written for newpost then it should be in function_newpost.php or similar,

nice tips Revan.
Again...

Originally Posted by Guy G
Here is another excellent about security of your scripts(PHP in general):
http://forums.devshed.com/t20525/s.html
And for the last time in this post: Thanks
XD


//peace
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 17:39.

Layout Options | Width: Wide Color: