Vulnerable register_globals

You should exercise extreme care when working with parameters. If the register_globals parameters is set to On in the php.ini configuration file, global variables are created. This can be a vulnerability source if you are not being careful enough. Let's consider the following vulnerability demonstration example:

<form action="testpass.php" method="get">
 Login: <input name="username">
 Password: <input name="password">
</form>

if ($password== $legal_pass) and ($username==$legal_name)
  $logged = 1

if ($logged)
 {
  //The user has been authorized
 }

Hidden Parameters

Never trust hidden parameters! You ask why? Because it is very easy to change them. All it takes is to save the web page on the local hard drive, modify the action field to point to the necessary script on the server, modify the necessary parameter, and execute the modified file.

Despite their shortcomings, hidden parameters can still be used; you simply have to be very careful with them. We will start considering using hidden parameters with how to hide parameters from honest users and beginning hackers. Sometimes it is necessary to pass some service information from one page to another without using cookies for this. In this case we can make use of hidden parameters. This can be done is several ways, which we will consider.

The first way is to create an input field of the hidden type as follows:

Network Monitoring Software

I uploaded the next version of my network monitoring program. It is fast and easy-to-use network monitoring software for everyone who want to know about their hosts or web page availability. The program monitors connections with specified computers in your network. CyD Careful Observer continuously monitors specific computer, server or WEB page accessibility. may monitor computers in your local network or in the Internet.

CyD Careful Observer - Network Monitor allows you to monitor any remote host port in your or remote network. When you run any network service on your server, a network port is opened to receive network packages. If the port is down, the service may be down too. The port monitoring allows system administrators to monitor the service availability

The main features of Careful Observer - Network Monitor 2010 SP2 are:

• New feature to export log data to XML or HTML files.
• It is easier to create WEB page monitoring items.
• Now you can see network status messages in windows notification area: near to system clock.
• The program checks latest news from CyD Software Labs server and shows you a dialog box with news.

Port scanning

The only way to protect your system from hacker attacks is to know how hackers carry out these attacks. When considering the fundamentals of hacker attacks, you have to think as a hacker. For example, what should be done first to break into a server or to test it for vulnerabilities? There is no clear answer to this question. Any break-in is a creative process and requires an individual approach. There are no clear-cut rules or ready-made templates. Nevertheless, a few practical recommendations can be given.

The first step in a break-in or vulnerability test is to scan the ports. Why? To find out what services (daemons, in Linux) are installed in the system. Each open port is a service program installed on the server, to which someone can connect and make it do certain things. For example, port 21 is used by the file transfer protocol (FTP) service. If a hacker can connect to this port, he or she will be able to download and upload files from and to the server. The hacker must acquire the corresponding rights to be able to do this, however.

The first 1,024 ports must be scanned initially. Many of them are used by standard services like FTP, hypertext transfer protocol (HTTP), and Telnet. Each open port is like a locked door to the server. The more doors the server has, the more chances there are that the lock on one of them can be picked. Therefore, you should only install those services that are necessary.

Storing User Parameters

HTTP does not support protracted connections. A new connection is created to receive each file in a page (i.e., a script, image, Flash animation, etc.). Consequently, the server cannot control whether the same user requested two different item (e.g., a script and an image), because for each of these a different connection would be created.

Page transitions also create new server connections; therefore, pages cannot be interlinked nor have common parameters. There are three ways to save parameter values when moving from one page to another. These are the following:

• Cookies: files stored on the client's computer. These can be:
• Temporary: stored in the memory of the client's computer only during the specific server connection.
• Permanent: stored on the client's hard drive until the specified time.
• Sessions.
• Implement your own connections, with the necessary parameters saved in database table and linked to the client.

PHP Sessions

Let's consider parameter use on the example of a site employing authorization procedure. When a user enters his or her name, a session must be initiated. This allows us to use session variables. A session is initiated by the session_start() function. If the function executes successfully, it returns true; otherwise, false is returned.

Now the PHP interpreter has to be informed which variables are to be saved in the session. This is done using the session_register() function, to which the variable name to be saved is passed as the parameter. Afterward, all the variables that have been placed into the session will be available from all pages of your site for the duration of the session.

Let's consider an example of a session. We'll create a file named session.php for this. The file contains a form to enter the user name, which will be saved in a session variabl: