I have made an application with PHP. I am not an OOP developer and I everything I know I learned it by myself. I have a login screen and a file that I include it in the top of all my files. These files check if the user is authorized and if the session is ok and then give the access, else it redirects to the login page.
I thought that this was safe but I used Websecurify (chrome addon) and it gave me many security errors that I have to check. Those errors was from php pages that where "protected" with username/password authentication and session cookie.
Websecurify accessed forms, posted data and did a lot of things to pages that should be protected. How can I protect my scripts from crawlers and bots?
Also websecurify said about apache authentication = "The application used WWW Authentication. This type of authentication is often considered insecure and vulnerable to a range of attacks."
Is this true? Really I need your opinion how to protect my php scripts from unauthorized access.
The file that I include in the top of all php scripts is this
session_start();
// set timeout period in seconds
$inactive = 3600;
// check to see if $_SESSION['timeout'] is set
if( isset($_SESSION['timeout']) )
{
$session_life = time() - $_SESSION['timeout'];
if( $session_life > $inactive )
{
session_destroy();
header("location:http://localhost/test/login.php");
}
}
$_SESSION['timeout'] = time();
if( !isset($_SESSION['client']) )
{
header("location:http://localhost/test/login.php");
}
else
{
// authorize user and store some session vars
}
My login page is this
<?php
session_start();
if($_GET['a']=="logout") {session_destroy();header("location:login.php");}
if(!isset($_SESSION['attempts'])) {$_SESSION['attempts'] = 0; session_commit();}
session_start();
?>
<?php
include_once("vars.php");
include ('mysql_connect.php');
$username=mysql_real_escape_string($_POST["username"]);
$password=mysql_real_escape_string($_POST["password"]);
if($_SESSION['attempts']==4){
echo "<div class=\"error\">You can try one more time.</div>";
}
if($_SESSION['attempts']>4){
// check if blocked username
$sql="SELECT * FROM isec_block WHERE username = '$username' and status=1";
$sql=mysql_query($sql);
$sql_row = mysql_fetch_array($sql);
$allrows = mysql_num_rows($sql);
$nowdate = strtotime(date('Y-m-d H:i:s'));
if($allrows>0){
$db_date = strtotime($sql_row['time_limit']);
if($db_date < $nowdate){
//unblock user
$sql="UPDATE isec_block SET status=0 WHERE username = '$username'";
$sql=mysql_query($sql);
echo "<div class=\"error\">Notice: Your account is open now.</div>";
$_SESSION['attempts'] = 0; session_commit();
session_start();
}else{
$error=1;
echo "<div class=\"error\">Multiple failed login attempts.</div>";
}
}
// eof check if blocked username
$error=1;
if($_SESSION['attempts']>0) echo "<div class=\"error\">ERROR: Ty again in 30 minutes please.</div>";
$ip = $_SERVER['REMOTE_ADDR'];
if($_SESSION['attempts']==5){
// store error login
$sql="INSERT INTO `isec_log` (username,ip,date,status) VALUES ('".$username."','$ip',NOW(),1)";
$result=mysql_query($sql);
// block username for x time
$timeToBuildStructure = 300; // seconds
$now = time(); // current time (seconds since 1/1/1970)
$finishedBuilding = $now + $timeToBuildStructure;
$newdate = date("Y-m-d H:i:s",$finishedBuilding);
$sql="INSERT INTO isec_block (username,time_limit,status) VALUES ('".$username."','$newdate',1)";
$result=mysql_query($sql);
}
$_SESSION['attempts']= $_SESSION['attempts'] + 1;
}
if($username!=="" && $password!=="" && $error<>1)
{
$sql="SELECT * FROM isec_usertable WHERE username='$username' AND password='$password'";
$result=mysql_query($sql);
$row_result= mysql_fetch_assoc($result);
$authenticated = $row_result['username'];
$authenticatedid = $row_result['id'];
$authenitcatedate = $row_result['Lastvisit'];
$authenticatedtype = $row_result['rights'];
$authenticatestatus = $row_result['status'];
$rows=mysql_num_rows($result);
if ($rows==1 and $authenticatestatus==1){
$_SESSION['client']=$authenticated;
$_SESSION['id']=$authenticatedid;
$_SESSION['ldate'] = $authenitcatedate;
$_SESSION['rights'] = $authenticatedtype;
$_SESSION['client_id'] = $row_result['client'];
$_SESSION['isLoggedIn'] = true;
$_SESSION['imagemanager.filesystem.rootpath'] = "../../../../../UserFiles/".$authenticatedid;
// add visit data
$ip = $_SERVER['REMOTE_ADDR'];
$visitdate="UPDATE `usertable` SET Lastvisit=NOW(), visits=visits+1 WHERE id='$authenticatedid'";
$result=mysql_query($visitdate);
// eof visit date
// store error login
$sql="INSERT INTO isec_log (username,ip,date,status) VALUES ('$username','$ip',NOW(),0)";
$result=mysql_query($sql);
header("location:index.php");
} else {
$_SESSION['attempts']= $_SESSION['attempts'] + 1;
//header("location:login.php?er=1");
echo "<div class=\"error\">ERROR: Wrong passoword or inactive account</div>";
$error=1; }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login</title>
<link href="general_css.css" rel="stylesheet" type="text/css" />
</head>
<body><?php if($_GET['er']==1) {echo "<div class=\"error\">ERROR: Wrong password or inactive account</div>";} ?>
<div id="container">
<div id="logo"><img src="template/isec-logogif.gif" width="285" height="64" /></div>
<?php include_once("header-icons.php");?>
<div id="main">
<div class="actionsblock">
<div class="actionheader">Login</div>
<form id="form1" name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
<table width="100%" border="0" cellspacing="5" cellpadding="5">
<tr>
<td width="17%" class="menublock"><div align="right"><a href="pages/clients-add.php"></a><a href="pages/clients.php"></a>Username</div></td>
<td width="17%" class="menublock"><label>
<input name="username" type="text" class="formfield_client" id="username" value="<?php echo $_POST['username'];?>" />
</label></td>
</tr>
<tr>
<td class="menublock"><div align="right">Password</div></td>
<td class="menublock"><input name="password" type="password" class="formfield_client" id="password" /></td>
</tr>
<tr>
<td class="menublock"><div align="right"><a href="myip.php?ip=<?php echo $_SERVER['REMOTE_ADDR'];?>" target="_blank"><img src="template/dot.gif" alt="ip" width="10" height="9" /></a></div></td>
<td class="menublock"><label>
<input type="submit" name="submit" id="submit" value="Connect" />
</label></td>
</tr>
</table>
</form>
</div>
</div>
</div>
</body>
</html>
<?php
mysql_close($dbc);
?>
This is extremely insecure code. At no point are you preventing access to any page. You aren't hashing passwords, and its vulnerable to XSS.
Lets start with access control:
The header() function adds a arbitrary http header to the response, but the PHP code executes normally.
Doesn't prevent access to anything, it only redirects the browser:
header("location:http://localhost/test/login.php");
This is like saying that this line of code prevents access:
header("Message: Go away!");
This prevents access to a page by calling die():
header("location:http://localhost/test/login.php");
die();
xss vectors:
echo $_POST['username'];
echo $_SERVER['PHP_SELF'];
Patched:
echo htmlspecialchars($_POST['username'],ENT_QUOTES);
echo htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES);