Most of the sites are hacked, because they were using the vulnerable scripts. You might wonder that, you have been using the same script from last so many years without any problem, now why that was the reason for your site being hacked. You won’t trust this statement, and will blame, on the web hosting provider for not implementing the proper security on their server, or will say that the server is compromised. Web Hosting companies also don’t take the blame on them, they will say, that only your site is being hacked, rest the other server is secure. Do you believe, most of the easily available CGI scripts are vulnerable, according to the survey conducted by most of the companies? Once the cracker after exploiting the vulnerabilities of your scripts, reaches to your directory, he will try to install other CGI, PHP or other scripts, which will take control of your content and now the it will depend on the cracker what he want to display on the site. Content is the key, and you loses control over it.
Most of the scripts available on the Internet are not being tested for the various parameters being passed with URL. You are attracted by the look; it gives to your website, but forgets to check whether this script is tested one. Novice programmers have propensity to err, experienced ones do check their scripts properly, what is going to server, and what server is responding to requests. Unskillful programmer leaves gaps in his programming, which smart hacker can easily exploit to gain access. You can say that not only code, but that programmer is also a big vulnerability.
You can find institutes in every street, teaching programming to lot of novice students, and once the learn core of the programming with some database queries, they start doing programming; they are really the ignorant programmers. These institutes cannot be blamed for that, as they can only teach how to do use the programming language, but doing the programming in a secured way is inherit property, which the programmer learns by his experience. How to build secure codes is not being taught in institutes that need be learn by research. This new generation is in hurry, they want to attain big heights in very short time, they are lazy to read the new stuff, and they are the people, who want to start using, before learning everything of that. It is true, who, want to spent so much time. Although experience teaches them all but learning from mistakes in this real world is not considered good enough. Who, will sacrifice his website because, you are in learning mode.
Most of the Internet programmers choose PHP instead of Java, as most they are reluctant of using drag on system resource. They love programming with PHP-CGI combination. I would say, most of the today’s people are not programmer, they are basically the hackers, they just re-build the already done scripts for the purpose, and the game is over.
You might have heard about the well known PHP Nuke which allows the user to have forum, chat and news service on their website. Thousands of website owners might have installed PHP-Nuke on their websites, and I do suppose, most of them are not aware of its vulnerability issue. It does contain the parameter vulnerability problem. All script parameters in it are passed with the URL string of the browser. Developer assumed that the number is only passed in it. But, any good hacker, who do know the structure of the database used in the PHP-Nuke can easily exploit. Knowing the structure is also easy, as PHP-Nuke is freely available script with its source code. Hacker can do SQL query to the database server with the ID parameter and can obtain the passwords of the registered users. You will say that passwords are stored in the decrypted form, but you will agree, that it is very easy for hacker to crack those and decrypt them.
Most of the free scripts do uses the Perl scripts. Perl was developed to manipulating the system, and was not Internet intended. Programmers use them to handle the remote servers, but, then they, can be also used by hackers to take control over the dedicated server system.
It is advisable to do scanning on these free scripts before using them for vulnerabilities. Once, you are aware of those vulnerabilities you can find the ways to block them, you cannot the leave the things for God to handle. Most of the Web Hosting companies won’t help with the free scripts.