provided by Star2Billing S.L.

Attention the webs name.md and http://dothost.eu/ is using code injection in signup form and costumer interface.

if the developer of a2billing need the code use please contact in the messenger.

Which version of PHP are you running? What is 'register_globals' set to in php.ini?
My own answers are PHP v5.2.6, because of this and 'register_globals = Off' because of this.

I have register Globals off and php 5.2.6

I look the script this people execute and is very interest . How get access.
basic take the number ID of one user in linux and register one new user with this number ID.

We spoke many times by here. Why not signup form is outside of administrator interface

And how make customer interface also in other server.

I think this is the best solution.

1.- one server with asterisk +a2billing and apache off (php work also)

2.- other server with customer interface and only signup form

3.- Administrator interface in any server you like

But for not many troubles about this i think is necessary a new version of a2billing. In all the case I spoke many time about error java script in signup form.

If you have this logs in Apache look well your server any Hacker try to make code injection

Gineta is right Stavros. A2Billing is currently extremely vulnerable. You can do form injection at so many locations of the code that I stopped counting. I have seen people being able to insert fake Payment transactions to an a2billing database by just posting the right stuff. Fortunately, we have put in place a mechanism that allow us to track and prevent this kind of attempt and to document the IP address of the hacker. Simply having an SSL certificate also help preventing it or at least it slows them down.

Other than the API security key thing, the only thing stopping an outsider from running arbitrary codes in A2billing is a session variable that allows a2billing to determine whether or not the user is logged it. This should be improved cause it may lead to a disaster that is waiting to happen.

You can replicate on an unauthorized server several forms that exist in a2billing. You will see that when you post them, a2billing will accept the data (POST or GET depending on the situation) and not detect a forgery. That is why we have started using .htaccess to enforce some tough rules on the servers. For instance, we will no longer allow external referrence to our servers. The only page that will be accessible from outside the server will be the home pages. If some one tries to POST, GET, PUT, FILE, ... anything from somewhere else, we will pull the red flag. Navigation through the site will be only allowed from within i.e. by clicking to move from one page to another.

Of course some external servers like paypal and money bookers will be authorized. However, the code have to be strengthened.

Cheers

I've been dealing with the issue since December.

Very sad all this. By now abilling for me is now use only for projects inot ufor user with costumer access ,

I use very sad other billing system not GNU with my costumer, Now is many bad experience and i not lose my time.

Gineta, according to your apache log :


this is all referring to an other application that is not a2billing have you considered that an other application on your server can be the cause of your troubles...


Btw we sanitize data in Input in order to prevent SQL inject, anything that pass through _GET or _POST is sanitized!


Rgds, Areski

Added after 8 minutes:

Hi Asiby,



We could write an infinite list of web application that base their security system on Session Variable
I willing to know more about this ?! How can we exploit ?


API of course is open to public once you decide to do so in your htaccess that by default deny all!
Now if you are Admin on 2 servers, nothing might prevent you to send data in a Cross post form manner, but still you are an Admin logged, no !?


Cheers, Areski

Let me ask the usual question I ask in such cases:

What operating system/software do you run on the computer in front of you, the one you access a2billing with?

Till now that answer correlates 100% with the troubles your server setup has..

This logs stravos copy from my apache . Become when I stop the domain .
Otrs is a faq cms make for debain group and by now is never hacking in the new versions.-

Otrs also use a perssonal version and configuration of apache. Totally auth of a2billing configuration or domain.---

All the logs I have also try for hacking is always in the domain of a2billing never in any subdomain

so why the logs you show us refer to something else...
I am lost with your explanation !!!

This is important so please give some light so that we can fix any security issues...

uhm
From where you get this log of my server
Notice: CREATE TABLE survey_request (, referer: http://faq.elistas.co.uk/otrs/index.pl? ... ageManager

i not post this log in any place

I understand what you mean Areski. And I am 100% with you. One of the most usage made of a session is to track login status on a web site. Nevertheless, there are several security measures that can be taken in addition to what the session offers. For example, like gineta said, we can borrow a practice that Mambo and Joomla uses by defining a constant that prevent secondary files from being called directly instead of being included as they should be.

Also, I believe that the sanitizing process should consider the host used by the referrer during the execution of each page. So whether it is a form post or get, or a request with a query string, we should check the HTTP_REFERRER and make sure that the query string or the post has been built from the server itself and not through any McGiver process.

There are much to discuss and of course we need input from good folks here. We can even try to find volunteers that know a lot about hacking and injection and you will be amazed. The most frightening that I have seen so far was that people could inject a form post and you would see in the View Transaction pages that you have received payments even though Paypal says otherwise.

Cheers

look asiby . I think asreski belive a2billing is antihacker and not possible security penetration.

A2billing is a perfect billing for asterisk but how we spoke here more of one in security is missing few questions.


I trace 4 servers in on subnet about 1 month . 4 asterisk with a2billing.

In all the logs i observer this. And this happend

1.- hacker try first to look whats CMS are you using sending diference paths for look the errors.-

2.- hacker not get error 404 or 405 and not have idea what there .

3.- hacker seek in all the servers the folders A2BCostumer interface and administrator.-

4.- hacker try this in difference domains.-

5.- Only one server have public access to costumer interface and hacker try this server

5.- Four difference IP seam day and seam time start atack the server sending code injection for get the ID of one Linux user

6.- get the number ID of one USer and record other user with this number ID

7.- Datacenter and me we record everithing and at four in the morning we call to VIRGIN MEDIA .- (one hacker have now name - surname and adress in UK) This hacker is also a new user in a2billing

8.- 4.30 AM I decided Stop the domain of a2billing and FORMAT the SERVER to LOW LEVEL the next day

9.- I get the code is using for inject and Complaine in The police to the FOLKS

10 UK Police inform this hacker is in true in UK and also other 2 in spain (MADRID and BARCELONA , and Poland and other old Russian countrys

Make damage in any server and robe information is a criminal action in UK.-

11. The more bad about this ONE HACKER is one USER of this forum we help one day in repaire his a2billing

Thanks for your last comment!!!

I am just asking for some real input to try to solve an eventual issue, all you are giving me is not helping to fix any eventual security hole...

Thanks, Areski

In many (european) countries, including mine, failing to /provide/ security for telecoms systems is a crime (well, misconduct at least).
If somebody treats his a2b servers as if they are web servers, he may well find himself being prosecuted, and I wouldn't pitty him.

On the other side, I know Areski has worked hard to patch any possible vulnerabilities and harden the security of this app. It still takes, however, an experienced administrator to install it right for professional use.
My claim is not that a2b is unbreakable, but that it can be setup in such a way that it will be safe.

There are dozens of books on IT security. There is a mountain of experience you have to climb. There is my earlier posts on 'chmod' topics at this forum. Read!