asiby wrote:
I understand what you mean Areski. And I am 100% with you. One of the most usage made of a session is to track login status on a web site. Nevertheless, there are several security measures that can be taken in addition to what the session offers. For example, like gineta said, we can borrow a practice that Mambo and Joomla uses by defining a constant that prevent secondary files from being called directly instead of being included as they should be.
Also, I believe that the sanitizing process should consider the host used by the referrer during the execution of each page. So whether it is a form post or get, or a request with a query string, we should check the HTTP_REFERRER and make sure that the query string or the post has been built from the server itself and not through any McGiver process.
There are much to discuss and of course we need input from good folks here. We can even try to find volunteers that know a lot about hacking and injection and you will be amazed. The most frightening that I have seen so far was that people could inject a form post and you would see in the View Transaction pages that you have received payments even though Paypal says otherwise.
Cheers
look asiby . I think asreski belive a2billing is antihacker and not possible security penetration.
A2billing is a perfect billing for asterisk but how we spoke here more of one in security is missing few questions.
I trace 4 servers in on subnet about 1 month . 4 asterisk with a2billing.
In all the logs i observer this. And this happend
1.- hacker try first to look whats CMS are you using sending diference paths for look the errors.-
2.- hacker not get error 404 or 405 and not have idea what there .
3.- hacker seek in all the servers the folders A2BCostumer interface and administrator.-
4.- hacker try this in difference domains.-
5.- Only one server have public access to costumer interface and hacker try this server
5.- Four difference IP seam day and seam time start atack the server sending code injection for get the ID of one Linux user
6.- get the number ID of one USer and record other user with this number ID
7.- Datacenter and me we record everithing and at four in the morning we call to VIRGIN MEDIA .- (one hacker have now name - surname and adress in UK) This hacker is also a new user in a2billing
8.- 4.30 AM I decided Stop the domain of a2billing and FORMAT the SERVER to LOW LEVEL the next day
9.- I get the code is using for inject and Complaine in The police to the FOLKS
10 UK Police inform this hacker is in true in UK and also other 2 in spain (MADRID and BARCELONA , and Poland and other old Russian countrys
Make damage in any server and robe information is a criminal action in UK.-
11. The more bad about this ONE HACKER is one USER of this forum we help one day in repaire his a2billing