1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Aren't you afraid to get Hacked??

Discussion in 'Web Design' started by Foxy999, Feb 23, 2013.

  1. Foxy999

    Foxy999 Newbie

    Joined:
    Dec 30, 2012
    Messages:
    49
    Likes Received:
    4
    BHW,

    I have been viewing the forums for a few months now and I have submitted a few threads to share some information. Now, I want to ask the community a question. I personally work from home managing a few websites / doing PHP security work. I have recently acquired a client who is into SEO and had his server hacked. Skipping forward, I recovered the server (hosting quite a few websites) from the hacking. Then, I was commissioned to review PHP code for vulnerabilities, the PHP code being wordpress plugins for SEO. Over fifty percent of the plugins I looked over were vulnerable to almost every type of PHP exploitation. It was even scarier when I saw code that could be executed via url, meaning that non-logged in users could execute the majority of the PHP script. THIS ALSO INCLUDES CODE THAT ISN'T OPEN-SOURCE eg. CODE YOU HAVE TO PAY FOR.

    What people need to do to stay safe is to review the PHP web applications / code they are using. One PHP file containing vulnerable could take down your server - it doesn't matter if you aren't "using" it or if it isn't linked to public access - if it is on your server in a website directory then hackers can access it an exploit it.

    Open-source PHP applications can help you - being free and having support. But they can also lead to your downfall because hackers have access to this code and can review it for vulnerabilities.

    The only way to stay safe is to review your PHP code. You cannot trust small time software vendors for secure PHP. At least ten vulnerabilities for wordpress plugins are released on a DAILY basis.

    That being said.. If you need code reviewed for vulnerabilities please contact me. I can direct you to my personal site that has a list of vulnerabilities I have discovered in high profile web applications like Roundcube Webmail and OpenCart. My personal website also contains a list of client websites I have serviced. I can also provide a resume, client list, and reference list. And the best news of all.. I'm US Based :p

    You may think this is a rant for my services. But I hope this gets people to think twice when uploading "any old php" to their server.

    Kindest Regards,
    Foxyy
     
  2. Foxy999

    Foxy999 Newbie

    Joined:
    Dec 30, 2012
    Messages:
    49
    Likes Received:
    4
    BHW,

    I am considering creating a "service" for this, if it doesn't sound like an ad already. Please feel free to posts wordpress plug-ins that you would like reviewed FOR FREE. Yes, for free only because I need some recognition in the community. Here are some plug-ins that I have personally found to be vulnerable:

    - amazon-affiliate-link-localizer 1.8.2
    - comment ninja 0.7
    - covert messenger 1.3
    - google alert and twitter plugin 3.1.5
    - indexing tool 1.7
    - jvzoo ad manager 1.3.1
    - trust jacker 1.83
    - videomate 1.6
    - wordpress multiblog poster 1.0.1
    - primary feedburner 3.1.2

    There are also more posted on my personal website with code examples!! Good luck and Please send me some plug-ins to review!!

    Kindest Regards,
    Foxyy