This morning I walked my parents through the cleaning of their computer, which had gotten infested with everything you can think of. Eventually the culprit was discovered, a program installed that was touting itself as a greeting card e-mailer.

The hours spent cleaning the computer could have been saved had the file been scanned before being installed, but who wouldn't trust such an innocent sounding program!

People who use computers often of course know not to trust something like that, especially when, in this case, it comes in an email from an unknown address. But I was thinking afterwards how many times I've seen people put things on websites with the same blind trust.

Typically by the time your average webmaster sticks something on their website it's been reviewed by tons of other people, but that isn't something to rely on. People miss things, new bugs are introduced, and some of the programs are intenionally flawed.

I've run into both, both times it was stuff that had been installed by others without looking at the source at all. I remember one, a Sudoku program, had source code similar to this

$code = file_get_contents('local_file'); mcrypt_decrypt(MCRYPT_BLOWFISH, 'someKey', base64_decode($code), MCRYPT_MODE_CBC, base64_decode(code)); eval($code);

One glance, and any decent programmer would have known that using this was a terrible idea. On a sidenote, I decided to go through with this, echoing the code. It sent me through a long loop of more of similar things to this, before eventually getting to the actual intent of the original programmer. I found it funny that they went through as many steps as they did, as anyone trying to see the end code wasn't going to be fooled by the extra steps.

Another instance of malicious code wasn't necessarily malicious code, but had the potential to be. I came upon a site that allowed people to use their javascript code on their own site. The javascript code had at the beginning a check to see which url it was being accessed with. If the URL was anything but the original domain it wouldn't work. The code in the file was harmless, but being on another server, it could easily be switched out with more malicious code, that stole cookies, etc.

Accidental security errors

These are the most common, but can be the most damaging. Almost every large program you can get for your site has had a few, and some have had a lot. This category includes phpBB, Wordpress, etc. These programs aren't necessarily programmed worse than something you could create, but because they're much better known, once a bug is found, script kiddies start hitting Google searching for "Wordpress" (or whatever) and find your site.

This happened recently with a site in our company. The error was simple. A folder that people could upload images into. The installed script chmod'ed the directory to 777 and didn't check what was being uploaded. Several people realized this for this software, and started uploading their own PHP files onto sites and wreaking havoc. The site in our company was lucky and had other security things in place so that nothing could be permanently deleted, and no information could be stolen (nothing meaningful that is), but typically sites aren't this lucky.

If you're going to use external code, make sure that at the least you follow these steps

If Server Side Code

• Go through the code looking for the common input problems, input that isn't stripped (or cleaned) of special characters, quotes, html tags, etc.
• Go through the code looking for file uploads that aren't carefully checked (note: Don't trust the mime type sent by the browser, this can be faked, use a mime checking function on the server, or use a different way of checking)
• Look out for Global variables,
• Look for values that should be kept encrypted that aren't. (User information, passwords, etc)
• Look for possibly intentionally malicious code. This doesn't happen often, but it's out there. Any external code, any obfuscated code, or any sending of information to something outside your domain and it should be ditched.

If Client Side code

• Make sure that you can run it on your server, don't point to an external Javascript file.
• Make sure that the Javascript file doesn't include other files off your server. There are some pretty clever ways to do this now, so make sure you check code that doesn't seem to make much sense.
• If there's any recording of cookie information make sure that it needs to be there.

If you can't follow these steps, then don't use others code. I know that's harsh, but most of the these programs collect personal information. If I use your forum, comment on your blog, etc, I shouldn't have to worry about the safety of your code.

If you must must must use something without reviewing it, put a warning on your site, so I know to stay away.

I'm fairly certain I've forgotten other things you should look for, if so, let me know in the comments.