Are Open Source Scripts More Prone To Getting Hacked ?

Discussion in 'Security' started by PowerExtreme, Jun 3, 2008.

Thread Status:
Not open for further replies.
0
  1. #1
    Are Open Source Scripts More Prone To Getting Hacked ?
     
    PowerExtreme, Jun 3, 2008 IP
  2. xlcho

    xlcho Guest

    Messages:
    532
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Generally - yes. But that's a matter of oppinion. That's like asking "which is better - linux or windows"
     
    xlcho, Jun 3, 2008 IP
  3. Randombase

    Randombase Peon

    Messages:
    224
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Depends from script to script, but generally an open source script can be audited more easily than a closed source script, since this would mean blind auditing.
     
    Randombase, Jun 3, 2008 IP
  4. jayshah

    jayshah Peon

    Messages:
    1,126
    Likes Received:
    68
    Best Answers:
    1
    Trophy Points:
    0
    #4
    Only if they have been written badly. A lot of encoded scripts are 'hacked' more quickly using SQL injection, because if they have a copy of it, they can exploit it.
     
    jayshah, Jun 5, 2008 IP
  5. Randombase

    Randombase Peon

    Messages:
    224
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Sorry to say, but you don't make any sense. Encoded scripts are much less likely to be exploited, you need the actual source code of the application to perform a good audit.
     
    Randombase, Jun 5, 2008 IP
  6. jayshah

    jayshah Peon

    Messages:
    1,126
    Likes Received:
    68
    Best Answers:
    1
    Trophy Points:
    0
    #6
    Nope, you can't say they're "less likely", because that's completely incorrect.

    What I'm saying is, if a copy is available, encoded or not and it's exploitable, it will get exploited. Remember, when you run code locally, you can intercept calls and such. Remember that having the source code simply speeds up the process. If you notice variables being entered into the URL, you can tamper with them. I'm not going to go into detail about the process.

    Further, using encoding like Zend will only make it worse, as it can be decoded with easy. The only way to prevent it, is to actually write the script correctly in the first place.
     
    jayshah, Jun 5, 2008 IP
  7. Randombase

    Randombase Peon

    Messages:
    224
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Definitely not, there are things like hidden variables and arrays that aren't user inputted but can be modified by settings such as Register_globals = On. For example:
    <?php
include($blah.'/test.php');
?>
    PHP:
    Can be exploited, even though the variable isn't intended to be defined by the end-user. If a script is (strongly) encoded, you won't be able to see what variable you actually need to exploit. If the source isn't encoded, even an automated auditing tool can find the vulnerability.
     
    Randombase, Jun 6, 2008 IP
  8. jayshah

    jayshah Peon

    Messages:
    1,126
    Likes Received:
    68
    Best Answers:
    1
    Trophy Points:
    0
    #8
    You can. With a medium amount of C knowledge you can intercept PHP calls as they're compiled into tokens. As a result, can you dump any operation and/or variable names and associations.

    Agreed, it's not (as) easy, but it's completely possible, which is the point I'm trying to get across. Don't take encoders for granted. Too many developers do, and once the scripts are decoded (all of todays encoders have had the encoding reversed), exploits fall out of the sky.
     
    jayshah, Jun 6, 2008 IP
Thread Status:
Not open for further replies.