Professional Web Applications Themes

Dreamweaver and Spyware - Macromedia Dynamic HTML

Hello! Anyone out there know how to prevent spyware from being attached to a Dreamweaver website? I am new to Dreamweaver, and know very little HTML or XHTML (thought I have a pocket reference for these codes, and can look things up). I have no idea how hackers attach spyware to a website, and am interested if there are methods of detecting and eliminating any spyware they might attach to a site I design. Anyone?...

Sponsored Links
  1. #1

    Default Dreamweaver and Spyware

    Hello!

    Anyone out there know how to prevent spyware from being attached to a
    Dreamweaver website?

    I am new to Dreamweaver, and know very little HTML or XHTML (thought I have a
    pocket reference for these codes, and can look things up).

    I have no idea how hackers attach spyware to a website, and am interested if
    there are methods of detecting and eliminating any spyware they might attach to
    a site I design.

    Anyone?

    Sponsored Links
    mountain Guest

  2. #2

    Default Re: Dreamweaver and Spyware

    ..oO(mountain magic)
     

    Usually by using insecure scripts, which is by far the most common way
    to break into a website. For example if a script on the server doesn't
    properly check passed URL parameters or form data, it might be possible
    to inject malicious code or even upload your own script to the server.
    Then it's quite easy to view and manipulate the code of the pages, for
    example by adding hidden iframes, malicious JavaScripts and such stuff.

    I've already seen pages with an upload feature, but an improper check of
    the uploaded files. So I was able to easily upload my own PHP script and
    even call it in my browser ... some people just make it too easy for an
    attacker.

    The other way is to really break into the server by hacking into the OS
    and gaining root access. But then it's about time for you to change the
    host as quick as possible.
     

    The best is to do what you can to prevent such things right from the
    beginning. But unless you use server-side scripting to process form data
    or do other dynamic stuff, there's not much of a danger if the server is
    properly maintained and updated by your host.

    Micha
    Michael Guest

  3. #3

    Default Re: Dreamweaver and Spyware

    > I've already seen pages with an upload feature, but an improper check of 

    You mean by verifying that the file type is not an executable file, right?

    --
    Murray --- ICQ 71997575
    Adobe Community Expert
    (If you *MUST* email me, don't LAUGH when you do so!)
    ==================
    http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
    http://www.dwfaq.com - DW FAQs, Tutorials & Resources
    ==================


    "Michael Fesser" <de> wrote in message
    news:com... 
    >
    > Usually by using insecure scripts, which is by far the most common way
    > to break into a website. For example if a script on the server doesn't
    > properly check passed URL parameters or form data, it might be possible
    > to inject malicious code or even upload your own script to the server.
    > Then it's quite easy to view and manipulate the code of the pages, for
    > example by adding hidden iframes, malicious JavaScripts and such stuff.
    >
    > I've already seen pages with an upload feature, but an improper check of
    > the uploaded files. So I was able to easily upload my own PHP script and
    > even call it in my browser ... some people just make it too easy for an
    > attacker.
    >
    > The other way is to really break into the server by hacking into the OS
    > and gaining root access. But then it's about time for you to change the
    > host as quick as possible.

    >
    > The best is to do what you can to prevent such things right from the
    > beginning. But unless you use server-side scripting to process form data
    > or do other dynamic stuff, there's not much of a danger if the server is
    > properly maintained and updated by your host.
    >
    > Micha[/ref]

    Murray Guest

  4. #4

    Default Re: Dreamweaver and Spyware

    ..oO(Murray *ACE*)
     
    >
    >You mean by verifying that the file type is not an executable file, right?[/ref]

    That's not enough. IMHO there are at least two things that should be
    taken into account:

    1) What filetypes you want to allow.

    If it's only about images, then it's pretty easy to check the correct
    type with getimagesize(). For other types this "sniffing" can become
    more difficult.

    2) What will be done with the uploaded files and how users will be able
    to access them.

    Storing them in a public directory, where they can all be reached by
    URLs is very dangerous, because then it's the webserver which delivers
    and perhaps interprets these files. On the site I mentioned above I was
    able to upload a script with a name like "foo.php.txt". This easily
    bypassed the "security" check on that site, which was just a simple test
    of the file extension to prevent the upload of PHP scripts. My file was
    seen as a text file - nice. Additionally it was stored in a public
    directory and could be reached by a URL - even nicer. And finally the
    server was configured to also accept URLs with incomplete or no
    extension at all. So I was able to call my uploaded file like this:

    http://example.com/foo.php

    which made the server execute my own script ... *boom*

    This would not have been possible if the uploaded files would have been
    stored outside the doent root and be delivered/streamed by a script:

    http://example.com/download.php?file=foo.php.txt

    Then it doesn't really matter of what type these files are - as long as
    the webserver can't get his own hands on them.

    Micha
    Michael Guest

  5. #5

    Default Re: Dreamweaver and Spyware

    Yep - makes good sense. Thanks.

    --
    Murray --- ICQ 71997575
    Adobe Community Expert
    (If you *MUST* email me, don't LAUGH when you do so!)
    ==================
    http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
    http://www.dwfaq.com - DW FAQs, Tutorials & Resources
    ==================


    "Michael Fesser" <de> wrote in message
    news:com... 
    >>
    >>You mean by verifying that the file type is not an executable file, right?[/ref]
    >
    > That's not enough. IMHO there are at least two things that should be
    > taken into account:
    >
    > 1) What filetypes you want to allow.
    >
    > If it's only about images, then it's pretty easy to check the correct
    > type with getimagesize(). For other types this "sniffing" can become
    > more difficult.
    >
    > 2) What will be done with the uploaded files and how users will be able
    > to access them.
    >
    > Storing them in a public directory, where they can all be reached by
    > URLs is very dangerous, because then it's the webserver which delivers
    > and perhaps interprets these files. On the site I mentioned above I was
    > able to upload a script with a name like "foo.php.txt". This easily
    > bypassed the "security" check on that site, which was just a simple test
    > of the file extension to prevent the upload of PHP scripts. My file was
    > seen as a text file - nice. Additionally it was stored in a public
    > directory and could be reached by a URL - even nicer. And finally the
    > server was configured to also accept URLs with incomplete or no
    > extension at all. So I was able to call my uploaded file like this:
    >
    > http://example.com/foo.php
    >
    > which made the server execute my own script ... *boom*
    >
    > This would not have been possible if the uploaded files would have been
    > stored outside the doent root and be delivered/streamed by a script:
    >
    > http://example.com/download.php?file=foo.php.txt
    >
    > Then it doesn't really matter of what type these files are - as long as
    > the webserver can't get his own hands on them.
    >
    > Micha[/ref]

    Murray Guest

  6. #6

    Default Re: Dreamweaver and Spyware

    ..oO(Murray *ACE*)
     

    You're welcome.

    Micha
    Michael Guest

Similar Threads

  1. Spyware
    By James in forum Windows Server
    Replies: 2
    Last Post: August 25th, 12:45 PM
  2. pop-ups, spyware .. what the hell ???
    By Rick in forum Windows XP/2000/ME
    Replies: 2
    Last Post: July 24th, 03:39 AM
  3. spyware
    By gene in forum Windows Setup, Administration & Security
    Replies: 1
    Last Post: July 22nd, 03:54 AM
  4. Alexa spyware
    By null in forum Windows Setup, Administration & Security
    Replies: 0
    Last Post: July 2nd, 04:09 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139