Security of online applications is essential for their smooth operation and storage of the information contained in them. If applications are not secured and the administrator, who manages them, does not comply with minimum security requirements at least, it could be made malicious breakthrough with disastrous consequences in some cases.
Below we have tried to describe the most common mistakes related to security, as well as options for avoiding them.
1. Usage of easy to guess passwords or same passwords to login in different locations.
Read also: Some tips when choosing a suitable password
2. Intercepted passwords by unauthorized access to e-mail box, which contain data for access to the account/server.
Data for access to e-mail boxes should stored diligently and responsibly as through unauthorized access to e-mail box can make a number of malicious activities, including compromising the email owner in any way.
3. Presence of malware and spyware on local computers, where is accessed hosting account.
If on a computer is installed malware and spyware, it can any sensitive information to be recorded (captured) and then sent to offenders without the knowledge of the administrator of this computer.
To avoid a similar situation, computers must be maintained free from this kind of spyware applications and viruses, you should scan periodically with anti-virus program, especially computers that are accessing the account.
This will eliminate possibility of recording and misuse of personal and confidential data, such as usernames, passwords and other, which could be used to access your account.
4. Failure in CMS systems
One of the most widely used CMS Systems are Joomla, OS Commerce, e107, WordPress, Drupal and others. Through gaps in such applications, it could put PHP script, shell files, etc., which give full access to the contents of the account to anyone without the need for a username and password. Subsequently, through these scripts the content is modified and add foreign files, malicious code, viruses, trojans, etc .
To avoid such consequences, all installed php systems of the account, and their use of modules and components, should always be updated to the latest version. In recent versions of current systems detected deficiencies have been remedied and systems are secured against unauthorized access.
5. Availability of unprotected Upload forms and galleries that allow the deployment scripts with malicious code - shell files.
If the account has pages and you can upload files of any type without restrictions and without requiring authentication (username and password) through these pages, it is mandatory they to be removed or protected. You
should review all files that are located in directories of these forms and galleries, as there should not attend files such as .php, .txt or other formats that are not in pictures format. The checking of uploaded files should not be only by extension, for example, can upload files only .jpg, .png, .bmp, etc., but could be made whether the file corresponds to that extension. Double check is mandatory as a .php file could be renamed to .jpg, but once uploaded to the server to run as a .php file, regardless of its extension.
6. Insert (include) files that are passed as parameter in a URL, without making a correct check if the file that is inserted is of the same application.
In these cases, a malicious person can insert (include) any file or address, and then get full access to the account.
It is generally not good practice to directly insert (include) files whose name is passed as parameter in the address. One solution is to create a table with file’s ID, where to describe the files that will be inserted as the address is fed file’s ID, but internal in the script, it’s determined which file should be included .
Thus there is no way to submit another file, except that it has defined.
If submission of the file in the URL must remain for any reason, it could be added check if the file is located in the hosting account and inserted only if this condition is met.
Unfortunately, ways to breach security applications are not limited to those described above. There are other opportunities for abuse, such as Cross-site scripting (XSS), SQL Injection, using Social engineering, sniffing of the network and others. However, they occur much less frequent, so if you follow the rules, described above, content of the account is more secure and possibility of unauthorized access is minimized.