Welcome to Icon Solutions
Icon Solutions
Warning Signs of Web Software
©2010 - MyIconSolutions.com
support@MyIconSolutions.com
support@MyIconSolutions.com
Is the source code encrypted?
This is the biggest source of problems. Most non-programmers don't realize how important this is, particularly for web software.
Even if you aren't interested in making program modifications, encrypted source code will prevent you from even hiring someone else to do it. This means, for example, that if you need to make some change to your web site, you will not be able to change the way it functions. Encrypted software is a trap and can really hurt you in the long run.
Are important, private files kept in web space?
This is a very common problem, it's almost universal these days. Even when configuration files are named with a .php extension, (usually some variation of config.php) there is still a very real possibility the web server can become mis-configured, thus dumping out the contents of such files, and yes, We've seen it happen many times!
If this file contains your database settings, look out!
This is such a common problem, we've written an article called Security, Keeping it Off the Web to warn people about this issue and provide some tips for dealing with it.
If it's a PHP file (typically configuration) you can often work around this by placing it off of web space and then, in the original file, using require_once('/off/the/web/conf.php');
Are password files kept in web space?
Usually these files are named .htpasswd and they contain, you guessed it, your passwords. This is so common the default apache configuration file denies access to them. While this is certainly helpful, such an approach can become a liability during times when the web server software is being updated.
The correct way to handle this is to keep these files away from web space, that way, even if the web server configuration gets mixed up (hey, it happens!) you shouldn't be able to download them.
Does it require web directories to be world writable?
Sometimes this simply can't be avoided. The danger is that on a shared hosting platform, a world-writable directory can be written to. This means, for example, someone could potentially place a php file to your web space with a trojan in it. Now all they have to do is run the script and end up causing you significant damage. Even on shared hosting platforms, it is your log file that shows the script being run, therefore the actions will likely be attributed to you.
Needless to say, this is something to avoid whenever possible.
Does it require permission changes on configuration files?
This isn't a terribly serious problem if you are able to change the permissions back to reasonable settings after the installation is complete. The main issue with world-writable configuration files is that on a shared host, other people can "re-write" them with their settings.
Of course, shared hosting is open to other abuse, such as reading these values. Generally speaking, this can't be avoided with such hosts.
If you are installing a PHP script that insists on changing a file to mode 666 or mode 777 please do yourself a favor and remember to change it back after the installation is complete. (typically, you can change it back to 644 to be safe)
If possible, you should make sure configuration files containing sensitive information are not stored in web space for the reasons outlined above. (and yes, this is common!)
Closing thoughts
These are just a few handy things you can spot without pouring over the program source code.
Hopefully we've saved you some grief, of course for every rule there is an exception, the above checklist isn't written in stone and we've probably missed a few things. However if any of the above signs are shown in a PHP script you are evaluating, you would do well to investigate it further.
An ounce of prevention may save your website from being hacked later on.
This is the biggest source of problems. Most non-programmers don't realize how important this is, particularly for web software.
Even if you aren't interested in making program modifications, encrypted source code will prevent you from even hiring someone else to do it. This means, for example, that if you need to make some change to your web site, you will not be able to change the way it functions. Encrypted software is a trap and can really hurt you in the long run.
Are important, private files kept in web space?
This is a very common problem, it's almost universal these days. Even when configuration files are named with a .php extension, (usually some variation of config.php) there is still a very real possibility the web server can become mis-configured, thus dumping out the contents of such files, and yes, We've seen it happen many times!
If this file contains your database settings, look out!
This is such a common problem, we've written an article called Security, Keeping it Off the Web to warn people about this issue and provide some tips for dealing with it.
If it's a PHP file (typically configuration) you can often work around this by placing it off of web space and then, in the original file, using require_once('/off/the/web/conf.php');
Are password files kept in web space?
Usually these files are named .htpasswd and they contain, you guessed it, your passwords. This is so common the default apache configuration file denies access to them. While this is certainly helpful, such an approach can become a liability during times when the web server software is being updated.
The correct way to handle this is to keep these files away from web space, that way, even if the web server configuration gets mixed up (hey, it happens!) you shouldn't be able to download them.
Does it require web directories to be world writable?
Sometimes this simply can't be avoided. The danger is that on a shared hosting platform, a world-writable directory can be written to. This means, for example, someone could potentially place a php file to your web space with a trojan in it. Now all they have to do is run the script and end up causing you significant damage. Even on shared hosting platforms, it is your log file that shows the script being run, therefore the actions will likely be attributed to you.
Needless to say, this is something to avoid whenever possible.
Does it require permission changes on configuration files?
This isn't a terribly serious problem if you are able to change the permissions back to reasonable settings after the installation is complete. The main issue with world-writable configuration files is that on a shared host, other people can "re-write" them with their settings.
Of course, shared hosting is open to other abuse, such as reading these values. Generally speaking, this can't be avoided with such hosts.
If you are installing a PHP script that insists on changing a file to mode 666 or mode 777 please do yourself a favor and remember to change it back after the installation is complete. (typically, you can change it back to 644 to be safe)
If possible, you should make sure configuration files containing sensitive information are not stored in web space for the reasons outlined above. (and yes, this is common!)
Closing thoughts
These are just a few handy things you can spot without pouring over the program source code.
Hopefully we've saved you some grief, of course for every rule there is an exception, the above checklist isn't written in stone and we've probably missed a few things. However if any of the above signs are shown in a PHP script you are evaluating, you would do well to investigate it further.
An ounce of prevention may save your website from being hacked later on.
This Site is
Warning signs of Web Software
The Author of this article provides an extraordinary recipe for Website Disaster that needs to be recognized. With the increasing number of Website-un-educated-Newbies trying to make a name for themselves; either throwing together a fancy personal site, or attempting to create fancy sites for others. These Tricks of the Trade will help keep hackers with Other Tricks of Their Trade from haunting the Unknowing Newbie. Shared web hosting is prevelant. It would not be a good thing for anybody else to have issues because your site IS UNSECURE! Be careful of what you install
(The author of this writing is from Genie Gate Software)
The Author of this article provides an extraordinary recipe for Website Disaster that needs to be recognized. With the increasing number of Website-un-educated-Newbies trying to make a name for themselves; either throwing together a fancy personal site, or attempting to create fancy sites for others. These Tricks of the Trade will help keep hackers with Other Tricks of Their Trade from haunting the Unknowing Newbie. Shared web hosting is prevelant. It would not be a good thing for anybody else to have issues because your site IS UNSECURE! Be careful of what you install
(The author of this writing is from Genie Gate Software)
