Cross-site Scripting Attacks

Posted At : 08 August 2008 16:11 | Posted By : Brian Horisk
Related Categories: Security

A number of our sites have come under cross-site scripting attacks in the last few days. From reading other blogs this seems to be a pretty widespread wave of automated attacks, not specifically targeted at any of our sites.

Cross-site scripting is a technique used to either compromise the databases that lie behind many modern websites or trick the website into displaying some malicious code. These attacks are pretty easy to carry out, as they only require changing some parts of the URL that visitors use to access your site.

The URL is often used to pass parameters which carry information between parts of the site - for example in a Content Management System, the url might carry a parameter like 'articleid' to indicate the page to be displayed e.g.

www.mycms.com/showpage.cfm?articleid=12367

Because the URL can be so easily changed, web developers need to validate all the data that comes from the URL to make sure it is what they expect before they start using it. In this case, to confirm that 'articleid' is a number - unfortunately this can sometimes be overlooked in the heat of development.

An attacker could alter this URL parameter to include an additional database command or link to a potentially dodgy site, e.g.

www.mycms.com/showpage.cfm?articleid=12367';DELETE FROM articles;

If the articleid parameter is not just a number, we can assume that someone is fiddling with the URL and take appropriate action.

Fortunately we develop our sites using industry standard security techniques so none of our websites seems to have been penetrated, but if you have a site developed elsewhere, it may be worth checking with your developers that they are aware of the issue and have taken appropriate steps.

This series of attacks was a good reminder to us though to go back and re-confirm that our code wasn't vulnerable - and also confirmed to us that the time spent securing sites is never time wasted.

Comments (0) | Print | Send | del.icio.us | Digg It! | Linking Blogs | 226 Views

Making folders writable for PHP when using a Windows IIs server

Posted At : 16 April 2008 20:37 | Posted By : Brian Horisk
Related Categories: Wordpress,Plesk

Many people come across problems using content management systems like Wordpress and Joomla on Windows Servers. One of the problems is folder permissions when you try to upload images or other content.

There are thousands of tutorials out there on how to fix this on Linux servers - chmod the properties of the folder to '777' - but what can you do when you are using a Windows server running IIs?

The error message I was getting in Wordpress was:

Unable to create directory C:\Inetpub\vhosts\mydomain.com\httpdocs/wp-content/uploads/2008/04. Is its parent directory writable by the server?

You may get a similar message from Mambo, Joomla or other content management systems.

In the case of Wordpress, the wp-content folder needs to be writable to IIs - or more specifically the internet user on your server. So how do you do this on Windows? Like all these things, its only easy when you know how.

Assuming you have access to the server e.g. by remote desktop:

  1. Navigate to the wp-content directory. This will most likely be in inetpub/wwwroot/yourdomain or a similar folder in the main web root.
  2. Right-click on the folder, select Properties, and then the 'Security' tab.
  3. This will show a list of the users with rights on your machine. You need to determine which one is used by the IIs process to serve web pages - usually the name in brackets after the username will be prefixed IUSR. In our case, as we are running Plesk to manage our server, the username is Plesk IIS User (ServerName/IUSR_mydomain)

    4. Folder Permissions for IIs user
  4. The only permissions set for this user will probably be the 'List Folder Contents'. You need to add the 'Write' permission, by clicking that box.
  5. Click 'Apply'.
  6. You're done (hopefully).

If you have the Plesk Control Panel, you can set these permissions directly in Plesk without having to remote desktop to the server:

  1. Click Domains, then the relevant domain, then File Manager. Navigate through the folders so you can see the appropriate directory name

  2. Click on the yellow padlock icon ('Change Permissions for Directory')
    3. Padlock

  3. Again choose the appropriate IIs user (the one with IUSR_ in the name)
  4. Click the 'Write' option
  5. Click OK.
    6. Permissions

Please let me know if you found this useful.

Comments (0) | Print | Send | del.icio.us | Digg It! | Linking Blogs | 493 Views

URL issues running Wordpress with Plesk SitePreview

Posted At : 16 April 2008 19:57 | Posted By : Brian Horisk
Related Categories: Wordpress,Plesk

If you are having trouble setting up a Wordpress installation with Plesk's Sitepreview, the following may help (and may also apply to other systems that give you a temporary URL to test sites before they go live).

Plesk is a piece of software which provides a straightforward front-end to manage a webserver, and is used by many ISPs to allow customers to manage their own servers. SitePreview is a function of the Plesk control panel which allows you to view a site via a temporary URL before it goes live. This way you and your clients can view and tweak the site before you release it to the wild by putting it on a published URL.

The normal URL format which Plesk uses for SitePreview is of the form:

http://xxx.xxx.xxx.xxx/$sitepreview/mydomain.com/

where xxx.xxx.xxx.xxx is the IP address of the server, and mydomain.com is the name of the site in Plesk (and the ultimate permanent URL).

The problem with viewing a Wordpress site at a SitePreview URL is that Wordpress strips out the $ (dollar) sign, and other special characters, from URLs. This is normally sensible behaviour as the dollar sign would normally not appear in URLs, but it breaks SitePreview, as it begins to return URLs like

http://xxx.xxx.xxx.xxx/sitepreview/mydomain.com/

(note no $ sign), which will give you a 404 Page Not Found error.

The first place I noticed this was when saving the main settings page.

When you save this page, Wordpress strips out the $ from the two URL fields. I haven't looked for the code which does this, but it is easily fixed by using PHPMyAdmin to edit the wp_options table in your Wordpress database (the wp_ may be something else depending on the table prefix you set for your tables in the wp-config.php file). The two records in this table which you have to correct are the ones where - option_name = 'home' - option_name = 'siteurl'

The second place you may have a problem is when using the admin screens. When Wordpress creates the URLs for the javascript files which are required for the 'Visual' mode of the page editor to work, it again strips out those dollar characters.

This issue can be resolved by editing the function clean_url, currently found in wp-includes/formatting.php

Early on in this function is the line:

$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@()]|i', '', $url);

Just change this to:

$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@()$]|i', '', $url);

i.e. add the $ sign just before the closing square bracket - the characters enclosed in this set of brackets will not be replaced in URLs.

This may have other implications I haven't discovered yet, so I would advise this as a temporary fix which should be removed when your site goes live.

If you discover any other issues or solutions with using Wordpress and Plesk's SitePreview, please leave a comment below.

Comments (0) | Print | Send | del.icio.us | Digg It! | Linking Blogs | 457 Views
BlogCFC was created by Raymond Camden. This blog is running version 5.9.002. Contact Blog Owner