Re: [PHP] Deny processing of non included files
On Thu, February 15, 2007 10:11 am, Jon Anderson wrote: > Easy answer: deny access to them. Use your web server to prevent > execution of the files. Generally, if you're using Apache, you can > just > do this: > > > Order Allow,Deny > Deny From All > > > You may also be able to do that from a .htaccess file. It's easy to get "bit" by this if you move your application over, and forget to include the .htaccess file in your tarball, as: tar -cvf export.tar * does NOT include .htaccess file :-( I've had it happen. I was lucky enough that the whole thing didn't work, as there were other .htaccess settings that made it immediately apparent things were not right. But if all you have in .htaccess is the blockage of the PHP scripts you don't want exposed, you could all too easily mess this up in a server move. There is no real reason for the include files to be in the web tree at all. They are NOT web documents, there should never be a URL that resolves to them, for anybody. Just move them out from the web tree completely, and breathe easier is my advice. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Deny processing of non included files
On Thu, February 15, 2007 9:44 am, Tim wrote: > typing http://sitename/modules/thismodule/admin/index.php, this file > will > only be processed by the browser if and only if it has been included > by > http://sitename/admin/index.php One simple way to be sure it's not access directly by the browser is to just MOVE it out of the web tree and set up your include_path to include the new location. Then it can't be surfed to AT ALL, much less executed as PHP code. > file directly? Or should i believe it doesn't really matter as in a > production environment display_errors is set to off so no error output > will > be shown... Hmmm. Random bits of code being executed completely out of sequence in ways you've never even imaginged, much less tested. I don't think that's something you want to ignore, personally... > 2. what is the assesed security risk if someone access a file directly > even > if it does not output anything? What does the file contain? exec("rm -rf /"); mysql_query($_GET['query']); include $file; Hopefully you have nothing that blatantly wrong in your PHP. Unfortunately, you probably DO have something much more subtle somewhere in your PHP code, for any large project. I'd say the risk is fairly low, but the CONSEQUENCES are immeasurable. Given that it's trivial to move the files and set up include_path, I'd recommend you just fix it. > 3. is their a way to check that a file has been included by such and > such > file or should i develop a hash system where the top page that > includes > files generates a hash, stores it in the db for the length of the > script and > in a variable, and have the included file check that the variable from > the > top file and the hash in the db correspond? You could do all that as well... Or, possibly, simply write robust code that errors out if more normal things are out of whack, like the DB object you expected to be created at the beginning. For that matter, your script should error out gracefully if, in the MIDDLE of your script, the DB process DIES. It's amazing how many PHP scripts don't have even rudimentary checking on their result, and just assume the DB is still there, just because mysql_connect( )succeeded at the beginning. Bad News: The DB could easily go down AFTER mysql_connect() but before you actually do anything useful. Your PHP code should handle that. > Security is driving me insane i'm becoming totally psychotic at the > possiblity of someone taking over my admin systems... But are you paranoid enough? :-) You are now in a normal state of security-conciousness. Learn to accept it, embrace it even. MUST READ: http://phpsec.org/ -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Deny processing of non included files
Ok i have actually discovered a great side-effect that i thought i'd share with any interested by using these .htaccess directives. As i only have two index.php files on the site and they are the only two files accesible through browser i have done this: Order Deny,Allow Deny from All Order Deny,Allow Allow from All Order Deny,Allow Allow from All Now the great side affect i told you about is that you cannot blind check the presence of *.php files in any directory any you file you look for regardless if it exists returns a 403 forbidden, so it is impossible to find the structure of the site... You can though test for directories. These directives along with a site that uses index.php as an engine to generate content via includes, are great for really restricing site access (of course this does not mean my includes don't have holes but thats another issue) on top of a regular authentication. And makes it easier for my own authentication system as i only have to authenticate through one file index.php thus not needing any authentication on any of the included files as suggested, and not needing to worry about that "test.php" file that got forgotten during dev or something, or even a user uploading a $.php file i dont want him to execute.. Thanks guys, Regards, Tim > -Message d'origine- > De : Jon Anderson [mailto:[EMAIL PROTECTED] > Envoyé : jeudi 15 février 2007 17:11 > À : Tim > Cc : 'php-general' > Objet : Re: [PHP] Deny processing of non included files > > Easy answer: deny access to them. Use your web server to > prevent execution of the files. Generally, if you're using > Apache, you can just do this: > > > Order Allow,Deny > Deny From All > > > You may also be able to do that from a .htaccess file. > > If you can't configure the server, just use a define at the > top of your index script: > > define('__INDEX_PHP',TRUE); > > Then just check it with a one-liner at the top of each script > that is for inclusion only. > > Tim wrote: > > 1. My included files "assume" the top file has initiated an > instance > > of an certain object thus being able to use the resources of the > > instanced objects in the top file..(obviously i have the necessary > > checks to make sure the instance has been created before > including the > > file) -Should i be initializing new instances of the object > at the top > > of each included file to prevent errors from appearing > incase someone > > access the file directly? Or should i believe it doesn't > really matter > > as in a production environment display_errors is set to off so no > > error output will be shown... > > > I don't think you ever want include files to be executed in > the wrong context. Just deny access. > > If anything, just make an index.php page in each module dir > that contains only "Thanks for visiting this page, but the > link you followed is probably mistyped. Try href=\"$document_root\">this instead." > > 2. what is the assesed security risk if someone access a > file directly > > even if it does not output anything? > > > Depends on what the file contains. If it contains this: > "`sudo rm -r $directory/*`", then the results could be > disastrous, but let's hope that it wouldn't contain code like > that. :-) > > 3. is their a way to check that a file has been included by > such and > > such file or should i develop a hash system where the top page that > > includes files generates a hash, stores it in the db for > the length of > > the script and in a variable, and have the included file check that > > the variable from the top file and the hash in the db correspond? > See above "define(...)" bit, which is really based on the old C header > trick: > > #ifndef __SOME_FILE_H > #define __SOME_FILE_H > > > > #endif > > jon > > -- > PHP General Mailing List (http://www.php.net/) To > unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Deny processing of non included files
At 4:44 PM +0100 2/15/07, Tim wrote: OK here is the background: My app will: have an admin access at http://sitename/admin/ Obviously authenticated users only are allowed access.. Now my issues is this, i do all the processing from a single index.php in admin/ folder that includes files from all over the webapp directory structure for example modules/thismodule/admin/index.php folder for getting the admin page for the module or modules/thismodule/index.php for displaying the modules in the public part of the page etc.. You get the picture.. What i want is to restrict acces to all these "included" php files such that by typing http://sitename/modules/thismodule/admin/index.php, this file will only be processed by the browser if and only if it has been included by http://sitename/admin/index.php NO "included" php file should be able to be processed by itself or accessed even for files that do not output anything.. So essentially i think i may be doing somethings wrong.. 1. My included files "assume" the top file has initiated an instance of an certain object thus being able to use the resources of the instanced objects in the top file..(obviously i have the necessary checks to make sure the instance has been created before including the file) -Should i be initializing new instances of the object at the top of each included file to prevent errors from appearing incase someone access the file directly? Or should i believe it doesn't really matter as in a production environment display_errors is set to off so no error output will be shown... 2. what is the assesed security risk if someone access a file directly even if it does not output anything? 3. is their a way to check that a file has been included by such and such file or should i develop a hash system where the top page that includes files generates a hash, stores it in the db for the length of the script and in a variable, and have the included file check that the variable from the top file and the hash in the db correspond? Security is driving me insane i'm becoming totally psychotic at the possiblity of someone taking over my admin systems... Regards, Tim Tim: Use require_once ("auth.php"); in every include. This should be the same auth code you use for your admin page. If you want I can provide an example. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Deny processing of non included files
> -Message d'origine- > De : Jon Anderson [mailto:[EMAIL PROTECTED] > Envoyé : jeudi 15 février 2007 17:11 > À : Tim > Cc : 'php-general' > Objet : Re: [PHP] Deny processing of non included files > > Easy answer: deny access to them. Use your web server to > prevent execution of the files. Generally, if you're using > Apache, you can just do this: > > > Order Allow,Deny > Deny From All > Great i'll go the .htaccess way i don't need any files accesible through the browser other then http://thissite/index.php and http://thissite/admin/index.php. > You may also be able to do that from a .htaccess file. > > If you can't configure the server, just use a define at the > top of your index script: > > define('__INDEX_PHP',TRUE); > > Then just check it with a one-liner at the top of each script > that is for inclusion only. > > Tim wrote: > > 1. My included files "assume" the top file has initiated an > instance > > of an certain object thus being able to use the resources of the > > instanced objects in the top file..(obviously i have the necessary > > checks to make sure the instance has been created before > including the > > file) -Should i be initializing new instances of the object > at the top > > of each included file to prevent errors from appearing > incase someone > > access the file directly? Or should i believe it doesn't > really matter > > as in a production environment display_errors is set to off so no > > error output will be shown... > > > I don't think you ever want include files to be executed in > the wrong context. Just deny access. Sure that's what i thought but couldn't get it to work you put me on the right track with the "directory" directive. > If anything, just make an index.php page in each module dir > that contains only "Thanks for visiting this page, but the > link you followed is probably mistyped. Try href=\"$document_root\">this instead." Well i do have a blank index.html in ALL directories to stop directory listing.. > > 2. what is the assesed security risk if someone access a > file directly > > even if it does not output anything? > > > Depends on what the file contains. If it contains this: > "`sudo rm -r $directory/*`", then the results could be > disastrous, but let's hope that it wouldn't contain code like > that. :-) > > 3. is their a way to check that a file has been included by > such and > > such file or should i develop a hash system where the top page that > > includes files generates a hash, stores it in the db for > the length of > > the script and in a variable, and have the included file check that > > the variable from the top file and the hash in the db correspond? > See above "define(...)" bit, which is really based on the old C header > trick: > > #ifndef __SOME_FILE_H > #define __SOME_FILE_H > > > > #endif Ok lets just deny access :) Thanks a bunch ;) Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Deny processing of non included files
Easy answer: deny access to them. Use your web server to prevent execution of the files. Generally, if you're using Apache, you can just do this: Order Allow,Deny Deny From All You may also be able to do that from a .htaccess file. If you can't configure the server, just use a define at the top of your index script: define('__INDEX_PHP',TRUE); Then just check it with a one-liner at the top of each script that is for inclusion only. Tim wrote: 1. My included files "assume" the top file has initiated an instance of an certain object thus being able to use the resources of the instanced objects in the top file..(obviously i have the necessary checks to make sure the instance has been created before including the file) -Should i be initializing new instances of the object at the top of each included file to prevent errors from appearing incase someone access the file directly? Or should i believe it doesn't really matter as in a production environment display_errors is set to off so no error output will be shown... I don't think you ever want include files to be executed in the wrong context. Just deny access. If anything, just make an index.php page in each module dir that contains only "Thanks for visiting this page, but the link you followed is probably mistyped. Try this instead." 2. what is the assesed security risk if someone access a file directly even if it does not output anything? Depends on what the file contains. If it contains this: "`sudo rm -r $directory/*`", then the results could be disastrous, but let's hope that it wouldn't contain code like that. :-) 3. is their a way to check that a file has been included by such and such file or should i develop a hash system where the top page that includes files generates a hash, stores it in the db for the length of the script and in a variable, and have the included file check that the variable from the top file and the hash in the db correspond? See above "define(...)" bit, which is really based on the old C header trick: #ifndef __SOME_FILE_H #define __SOME_FILE_H #endif jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php