Website Application Security
Posted by Helpdesk Admin on 20 April 2011 02:20 PM
Third Party Applications
Using third-party scripts which are often downloaded for free is a great way to add additional functionality to your website. The downside is that you are installing software often from an unknown or untrusted source and of potentially unknown quality and security on your server and giving it access to your web hosting account. If the software is well known (or old) then it is possible that it contains security holes that will be used by malicious third parties to access your data, deface your website, or send spam.
When using third party scripts, we recommend the following safe practices:
following well known scripts have all had serious security holes
found and exploited in the recent past. It is essential that you
run only stable patched versions of these programs and their plugins and keep
them updated ...
phpAdsNew, phpBB, formmail.pl, phpMyAdmin, phpNuke, DotNetNuke, phpGroupWare, Mambo, Joomla, Drupal, Geeklog, Moodle, WordPress, vBulletin, Phorum, Coppermine, SugarCRM, osCommerce, zenCart .... and many many many more!
Your Own Applications
Writing your own applications gives you ultimate control and flexibility in designing your website. However unless you are a proficient programmer and are well versed in secure coding practices, your code may be used by malicious third parties to access your data, deface your site, send spam or attack other websites.
Many programmers believe that because their application is custom written and not well known, then it is less to be targeted or exploited. Our experience is that this is a false assumption - it is very common for user-written scripts (especially those that implement contact forms, guest books or mailing list signups) to be hijacked. Attacks on such scripts are performed by automated systems that scan your website, harvest email addresses, and probe all forms and scripts on your website.
The cardinal rule in writing secure applications is never to trust any input submitted via a web form. All data submitted should be submitted to rigorous validation and sanity checking before it is used by the application or passed to any external program.
The most common exploits performed on user applications are:
We recommend that before you write your own scripts, you should familiarize yourself with safe coding practices for web applications. The following references may be useful starting points: