How to prevent <meta http-equiv="refresh"> attacks? [duplicate]

Question

I think hackers (or script kiddies) attacked my website using leaks of website's codebase. Posts in the database changed so that they contain this html:

<meta http-equiv="refresh" content="0;url=http://example.com"/>

But i can't rewrite the system now. What are the strategies to prevent this situation happening in the future?

I'm thinking of migrating admin script to a subdomain that allows access to certain domains. Or using mod_security SecFilterScanPOST and scanning all post request containing http-equiv etc. Or only allowing post requests from my server or all of them?

Thank you.

Answer 1

The first step may be investigating where is the code is injected, which may help you to identify what the root clause is -

1. If your web site get contents from database and the injected tag is retrieved as part of database content, probably your site has SQL injection flaw or other vulnerabilities that allow attackers to change the content there.

2. If the tag in every PHP files, it means the attacker has access to your file system. Either he has access to your FTP or telnet or any other admin consoles, or your web site has vulnerabilities that allow attackers to modify/create files on the web site.

3. It may also be possible for your server to have vulnerabilities that allow such access from the attackers.

After you identified the root cause, fix it accordingly =)

Here are some generic advises to help preventing the same from happening again:

1. Review your web sites and server for vulnerabilities, either through code review, pen test or some automatic scans and fix them accordingly.

2. Install update, hotfix, security patches promptly. Keep it updated, updated, updated, updated...

3. Assign proper folder permissions (read-write, read-only, no access) on the file systems and grant only necessary rights to users (min-privilege principle).

   • For example, you may consider making the web server user only readable to all web content folder except upload folders.
   • Configuration files usually don't require to be writable by the web server user. Normally they are writable by administrator only. Also be careful not to allow the content of such files be accessible via the web server (i.e. via the http:// url of your web server). Putting them outside the web content root direct is a nice idea
   • Putting any upload folders outside the web content root directory is also a nice idea
   • Mine the owner of the files too, because owners can freely change the permission of the file.

4. Be cautious when using 3rd-party components (e.g. Wordpress/Joomla plugins). Only use if you trust the publisher. Download only from main site. Remember to keep them up-to-dated too. Disable and remove them if necessary

5. Restrict access to administrative consoles and services like FTP, Telnet, database administration consoles (e.g. phpMyAdmin) and etc. Assign good passwords for them. Best is don't let anyone except authorized to access it (e.g. using IP restrictions set in Firewall or configurations, or hide it behind VPN)

   • Actually you should avoid any clear text protocols when passwords (especially administrator's) are transmitted. There are usually a encrypted alternatives for them, e.g. Telnet -> SSH, FTP -> SFTP/FTP, HTTP/HTTPS.
   • Database port should really be avoided to be accessible from Internet. There is only rare screnario that you will need this. Configure it to listen on the loop-back interface in most case...

Answer 2

See OWASP on both XSS and input validation.

Do not sanitize your input - you want the original <meta http-equiv="refresh" content="0;url=http://example.com"/> in your database - but instead treat it as untrusted data and escape/disarm it when it comes to output.

Answer 3

This is a lazy solution if you do not want to escape your data while reading from db (which you should).

function escape_deep(&$value)
{
 $value = htmlspecialchars($value);
}

array_walk_recursive($_GET, 'escape_deep');
array_walk_recursive($_POST, 'escape_deep');