ionCube Logo
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


 
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder

I need a way for this attack to be blocked.

Author Message
Steven



Joined: 08 Apr 2006
Posts: 2

PostPosted: Sat Apr 08, 2006 10:52 am    Post subject: I need a way for this attack to be blocked. Reply with quote

Attack:

N.B I don't care about the names of the files! (They are meaningless)

ok...

Index.php

includes
bah.php
mkl.php

//Does some secret stuff...

die();

Now I understand that IonCube has include attack prevention, however what is happening here is:

Ub3r 1337 H4X0R [70 7h3 M4X0R] write a new script and replaces bah.php with his arbitary code; now the script has included his code.



----

Now: http://forum.ioncube.com/viewtopic.php?t=268 hints about protection for this type of attack, so how can I do it?

Steven
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2788

PostPosted: Sat Apr 08, 2006 12:41 pm    Post subject: Reply with quote

The Encoder 6.5 GUI has an include attack feature where you specify a key, and only files that were encoded by your Encoder and that have the same key can be included, and by symmetry, files with that key can only be included by files that also have the same key. This prevents inclusion of someone elses files.

The underlying command line features that are used by the GUI to implement this are also described in the User Guide PDF, and you should consult that if using the command line Encoder.

Software protection is really best approached at the design stage of an application rather than retrofitted as a bolt on later. Whilst the Encoder offers ways to make include attacks difficult or impossible, I'd recommend looking at your code and application design to understand where a weakness lies in the design that makes an include attack effective. Clearly without include attack protection such as the Encoder offers it will be possible for someone to substitute their own scripts, however it should be possible to design the PHP application such that doing this isn't effective or in any way useful, and whilst using the protection from the Encoder obviously makes sense as more barriers equate to better protection, being aware of how to design PHP application so as not to have design weaknesses from a security perspective would be good too.
_________________
Community Admin
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum