{"id":30218,"date":"2014-05-07T13:34:15","date_gmt":"2014-05-07T18:34:15","guid":{"rendered":"http:\/\/webirix.com\/?p=30218"},"modified":"2014-05-07T13:43:17","modified_gmt":"2014-05-07T18:43:17","slug":"servidor-web-programar-de-forma-segura","status":"publish","type":"post","link":"https:\/\/webirix.com\/en\/servidor-web-programar-de-forma-segura\/","title":{"rendered":"Web server. Program safely"},"content":{"rendered":"

\"consejos_seguridad_ordenador--644x450\"<\/a><\/p>\n

A lots of\u00a0text editors or IDE's<\/strong>\u00a0are configured to save a\u00a0backup copy<\/strong>\u00a0of the files that are being edited, in such a way that, if we have a file called my_conexion.php, a backup copy of the file named my_conexion.php will be created ~<\/p>\n

With these files finished with the\u00a0character ~<\/strong>\u00a0we must be very careful because they are NOT files\u00a0PHP<\/strong>\u00a0that he\u00a0Web server<\/strong>\u00a0understand that you must execute, but treats them as one more text file, therefore if we make the mistake of uploading that file to the production server we will have our code exposed to anyone. Sometimes this code may not be useful for a possible attacker but in most cases we have access to databases or queries, so if they have access to the code with these files, we are publishing the structure of the database and if it is not, for example, well designed we can expose it to ID and brute force attacks or we can even be telling the attacker that the encrypted user keys are not stored, which by the way,\u00a0NEVER<\/strong>\u00a0it must be done.<\/p>\n

Knowing this, we must be very careful not to upload files to our server that are NOT\u00a0HTML, CSS, PHP, JSP<\/strong>\u00a0y dem\u00e1s, dependiendo del lenguaje de programaci\u00f3n que estemos usando. Esto incluye no solo a los archivos terminados en el caracter\u00a0~, sino por ejemplo, archivos .sql. Si cometemos el error de subir este tipo de archivos, muy probablemente estemos dando, usuarios y la contrase\u00f1a\u00a0de acceso, adem\u00e1s de la estructura de toda la base de datos por lo que “Hackear” el sitio web es un simple juego de ni\u00f1os.<\/p>\n

If we have not taken into account this security primitive or we are not the only ones who upload files to the server and we want to check that there are no files of this type on the server, we can do it with a simple command in the terminal logged in as root to be able to access all directories. We can do:<\/p>\n

\n\n\n\n
\n
find \/<\/span> -<\/span>yam *<\/span>~<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
With the previous command we search from the root for the files whose name ends with the character ~<\/p>\n
\n\n\n\n
\n
find \/<\/span> -<\/span>yam *.<\/span>sql<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
With this command we look for the .sql files that could have been uploaded to the server.<\/p>\n
Finally, it never hurts to make a<\/p>\n
\n\n\n\n
\n
find \/<\/span> -<\/span>yam *.<\/span>txt<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
To rule out that we do not have text files in our source directory.<\/p>\n
We can optimize the search a bit, limiting the directory to search with the directory where the web sources are stored. In this case we can make a<\/p>\n
\n\n\n\n
\n
find \/<\/span>var<\/span>\/<\/span>www\/<\/span> -<\/span>yam *<\/span>~<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
With this we no longer search from the root, but only in the directory of the web source files.<\/p>\n
These searches will return a list, if any, of the files that meet what is specified in the name. If any of these searches return files, we have to do the following. First examine each and every one to see what we have been exposing, if they are users and \/ or passwords, we must change them, update our code, upload it and delete said backup files from the server. If no access information and \/ or database structure has been compromised, we simply delete these files.<\/p>\n
\n\n\n\n
\n
rm \/<\/span>file_path\/<\/span>backup_file.<\/span>extension ~<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
We hope it has been useful to you.<\/p>","protected":false},"excerpt":{"rendered":"
Many text editors or IDE's are configured to save a backup copy of the files that are being edited, in such a way that, if we have a file called my_conexion.php, a backup copy of the file named my_conexion.php will be created ~ Con these files ending with the character ~ we must be very careful because they are NOT PHP files that the web server understands that it should ...<\/p>","protected":false},"author":2,"featured_media":30219,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2026,2017,2013,2021,2024,2014,2027,2025],"tags":[],"class_list":["post-30218","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-consola","category-cpanel-hosting","category-disenoweb","category-hospedaje-web","category-linux","category-programacionweb","category-seguridad","category-servidores"],"jetpack_featured_media_url":"https:\/\/webirix.com\/wp-content\/uploads\/2014\/05\/consejos_seguridad_ordenador-644x450.jpg","_links":{"self":[{"href":"https:\/\/webirix.com\/en\/wp-json\/wp\/v2\/posts\/30218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/webirix.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webirix.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webirix.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/webirix.com\/en\/wp-json\/wp\/v2\/comments?post=30218"}],"version-history":[{"count":2,"href":"https:\/\/webirix.com\/en\/wp-json\/wp\/v2\/posts\/30218\/revisions"}],"predecessor-version":[{"id":30221,"href":"https:\/\/webirix.com\/en\/wp-json\/wp\/v2\/posts\/30218\/revisions\/30221"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webirix.com\/en\/wp-json\/wp\/v2\/media\/30219"}],"wp:attachment":[{"href":"https:\/\/webirix.com\/en\/wp-json\/wp\/v2\/media?parent=30218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webirix.com\/en\/wp-json\/wp\/v2\/categories?post=30218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webirix.com\/en\/wp-json\/wp\/v2\/tags?post=30218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}