Re: [PHP] Deny processing of non included files
On Thu, February 15, 2007 10:11 am, Jon Anderson wrote: > Easy answer: deny access to them. Use your web server to prevent > execution of the files. Generally, if you're using Apache, you can > just > do this: > > > Order Allow,Deny > Deny From All > > > You may also be able to do that from a .htaccess file. It's easy to get "bit" by this if you move your application over, and forget to include the .htaccess file in your tarball, as: tar -cvf export.tar * does NOT include .htaccess file :-( I've had it happen. I was lucky enough that the whole thing didn't work, as there were other .htaccess settings that made it immediately apparent things were not right. But if all you have in .htaccess is the blockage of the PHP scripts you don't want exposed, you could all too easily mess this up in a server move. There is no real reason for the include files to be in the web tree at all. They are NOT web documents, there should never be a URL that resolves to them, for anybody. Just move them out from the web tree completely, and breathe easier is my advice. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Deny processing of non included files
On Thu, February 15, 2007 9:44 am, Tim wrote:
> typing http://sitename/modules/thismodule/admin/index.php, this file
> will
> only be processed by the browser if and only if it has been included
> by
> http://sitename/admin/index.php
One simple way to be sure it's not access directly by the browser is
to just MOVE it out of the web tree and set up your include_path to
include the new location.
Then it can't be surfed to AT ALL, much less executed as PHP code.
> file directly? Or should i believe it doesn't really matter as in a
> production environment display_errors is set to off so no error output
> will
> be shown...
Hmmm.
Random bits of code being executed completely out of sequence in ways
you've never even imaginged, much less tested.
I don't think that's something you want to ignore, personally...
> 2. what is the assesed security risk if someone access a file directly
> even
> if it does not output anything?
What does the file contain?
exec("rm -rf /");
mysql_query($_GET['query']);
include $file;
Hopefully you have nothing that blatantly wrong in your PHP.
Unfortunately, you probably DO have something much more subtle
somewhere in your PHP code, for any large project.
I'd say the risk is fairly low, but the CONSEQUENCES are immeasurable.
Given that it's trivial to move the files and set up include_path, I'd
recommend you just fix it.
> 3. is their a way to check that a file has been included by such and
> such
> file or should i develop a hash system where the top page that
> includes
> files generates a hash, stores it in the db for the length of the
> script and
> in a variable, and have the included file check that the variable from
> the
> top file and the hash in the db correspond?
You could do all that as well...
Or, possibly, simply write robust code that errors out if more normal
things are out of whack, like the DB object you expected to be created
at the beginning.
For that matter, your script should error out gracefully if, in the
MIDDLE of your script, the DB process DIES.
It's amazing how many PHP scripts don't have even rudimentary checking
on their result, and just assume the DB is still there, just because
mysql_connect( )succeeded at the beginning. Bad News: The DB could
easily go down AFTER mysql_connect() but before you actually do
anything useful. Your PHP code should handle that.
> Security is driving me insane i'm becoming totally psychotic at the
> possiblity of someone taking over my admin systems...
But are you paranoid enough? :-)
You are now in a normal state of security-conciousness.
Learn to accept it, embrace it even.
MUST READ:
http://phpsec.org/
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Deny processing of non included files
Ok i have actually discovered a great side-effect that i thought i'd share
with any interested by using these .htaccess directives.
As i only have two index.php files on the site and they are the only two
files accesible through browser i have done this:
Order Deny,Allow
Deny from All
Order Deny,Allow
Allow from All
Order Deny,Allow
Allow from All
Now the great side affect i told you about is that you cannot blind check
the presence of *.php files in any directory any you file you look for
regardless if it exists returns a 403 forbidden, so it is impossible to find
the structure of the site...
You can though test for directories.
These directives along with a site that uses index.php as an engine to
generate content via includes, are great for really restricing site access
(of course this does not mean my includes don't have holes but thats another
issue) on top of a regular authentication. And makes it easier for my own
authentication system as i only have to authenticate through one file
index.php thus not needing any authentication on any of the included files
as suggested, and not needing to worry about that "test.php" file that got
forgotten during dev or something, or even a user uploading a $.php file i
dont want him to execute..
Thanks guys,
Regards,
Tim
> -Message d'origine-
> De : Jon Anderson [mailto:[EMAIL PROTECTED]
> Envoyé : jeudi 15 février 2007 17:11
> À : Tim
> Cc : 'php-general'
> Objet : Re: [PHP] Deny processing of non included files
>
> Easy answer: deny access to them. Use your web server to
> prevent execution of the files. Generally, if you're using
> Apache, you can just do this:
>
>
> Order Allow,Deny
> Deny From All
>
>
> You may also be able to do that from a .htaccess file.
>
> If you can't configure the server, just use a define at the
> top of your index script:
>
> define('__INDEX_PHP',TRUE);
>
> Then just check it with a one-liner at the top of each script
> that is for inclusion only.
>
> Tim wrote:
> > 1. My included files "assume" the top file has initiated an
> instance
> > of an certain object thus being able to use the resources of the
> > instanced objects in the top file..(obviously i have the necessary
> > checks to make sure the instance has been created before
> including the
> > file) -Should i be initializing new instances of the object
> at the top
> > of each included file to prevent errors from appearing
> incase someone
> > access the file directly? Or should i believe it doesn't
> really matter
> > as in a production environment display_errors is set to off so no
> > error output will be shown...
> >
> I don't think you ever want include files to be executed in
> the wrong context. Just deny access.
>
> If anything, just make an index.php page in each module dir
> that contains only "Thanks for visiting this page, but the
> link you followed is probably mistyped. Try href=\"$document_root\">this instead."
> > 2. what is the assesed security risk if someone access a
> file directly
> > even if it does not output anything?
> >
> Depends on what the file contains. If it contains this:
> "`sudo rm -r $directory/*`", then the results could be
> disastrous, but let's hope that it wouldn't contain code like
> that. :-)
> > 3. is their a way to check that a file has been included by
> such and
> > such file or should i develop a hash system where the top page that
> > includes files generates a hash, stores it in the db for
> the length of
> > the script and in a variable, and have the included file check that
> > the variable from the top file and the hash in the db correspond?
> See above "define(...)" bit, which is really based on the old C header
> trick:
>
> #ifndef __SOME_FILE_H
> #define __SOME_FILE_H
>
>
>
> #endif
>
> jon
>
> --
> PHP General Mailing List (http://www.php.net/) To
> unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Deny processing of non included files
At 4:44 PM +0100 2/15/07, Tim wrote:
OK here is the background:
My app will: have an admin access at http://sitename/admin/
Obviously authenticated users only are allowed access..
Now my issues is this, i do all the processing from a single index.php in
admin/ folder that includes files from all over the webapp directory
structure for example modules/thismodule/admin/index.php folder for getting
the admin page for the module or modules/thismodule/index.php for displaying
the modules in the public part of the page etc.. You get the picture.. What
i want is to restrict acces to all these "included" php files such that by
typing http://sitename/modules/thismodule/admin/index.php, this file will
only be processed by the browser if and only if it has been included by
http://sitename/admin/index.php
NO "included" php file should be able to be processed by itself or accessed
even for files that do not output anything..
So essentially i think i may be doing somethings wrong..
1. My included files "assume" the top file has initiated an instance of an
certain object thus being able to use the resources of the instanced objects
in the top file..(obviously i have the necessary checks to make sure the
instance has been created before including the file)
-Should i be initializing new instances of the object at the top of each
included file to prevent errors from appearing incase someone access the
file directly? Or should i believe it doesn't really matter as in a
production environment display_errors is set to off so no error output will
be shown...
2. what is the assesed security risk if someone access a file directly even
if it does not output anything?
3. is their a way to check that a file has been included by such and such
file or should i develop a hash system where the top page that includes
files generates a hash, stores it in the db for the length of the script and
in a variable, and have the included file check that the variable from the
top file and the hash in the db correspond?
Security is driving me insane i'm becoming totally psychotic at the
possiblity of someone taking over my admin systems...
Regards,
Tim
Tim:
Use require_once ("auth.php"); in every include. This should be the
same auth code you use for your admin page. If you want I can provide
an example.
Cheers,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Deny processing of non included files
> -Message d'origine-
> De : Jon Anderson [mailto:[EMAIL PROTECTED]
> Envoyé : jeudi 15 février 2007 17:11
> À : Tim
> Cc : 'php-general'
> Objet : Re: [PHP] Deny processing of non included files
>
> Easy answer: deny access to them. Use your web server to
> prevent execution of the files. Generally, if you're using
> Apache, you can just do this:
>
>
> Order Allow,Deny
> Deny From All
>
Great i'll go the .htaccess way i don't need any files accesible through the
browser other then http://thissite/index.php and
http://thissite/admin/index.php.
> You may also be able to do that from a .htaccess file.
>
> If you can't configure the server, just use a define at the
> top of your index script:
>
> define('__INDEX_PHP',TRUE);
>
> Then just check it with a one-liner at the top of each script
> that is for inclusion only.
>
> Tim wrote:
> > 1. My included files "assume" the top file has initiated an
> instance
> > of an certain object thus being able to use the resources of the
> > instanced objects in the top file..(obviously i have the necessary
> > checks to make sure the instance has been created before
> including the
> > file) -Should i be initializing new instances of the object
> at the top
> > of each included file to prevent errors from appearing
> incase someone
> > access the file directly? Or should i believe it doesn't
> really matter
> > as in a production environment display_errors is set to off so no
> > error output will be shown...
> >
> I don't think you ever want include files to be executed in
> the wrong context. Just deny access.
Sure that's what i thought but couldn't get it to work you put me on the
right track with the "directory" directive.
> If anything, just make an index.php page in each module dir
> that contains only "Thanks for visiting this page, but the
> link you followed is probably mistyped. Try href=\"$document_root\">this instead."
Well i do have a blank index.html in ALL directories to stop directory
listing..
> > 2. what is the assesed security risk if someone access a
> file directly
> > even if it does not output anything?
> >
> Depends on what the file contains. If it contains this:
> "`sudo rm -r $directory/*`", then the results could be
> disastrous, but let's hope that it wouldn't contain code like
> that. :-)
> > 3. is their a way to check that a file has been included by
> such and
> > such file or should i develop a hash system where the top page that
> > includes files generates a hash, stores it in the db for
> the length of
> > the script and in a variable, and have the included file check that
> > the variable from the top file and the hash in the db correspond?
> See above "define(...)" bit, which is really based on the old C header
> trick:
>
> #ifndef __SOME_FILE_H
> #define __SOME_FILE_H
>
>
>
> #endif
Ok lets just deny access :)
Thanks a bunch ;)
Tim
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Deny processing of non included files
Easy answer: deny access to them. Use your web server to prevent
execution of the files. Generally, if you're using Apache, you can just
do this:
Order Allow,Deny
Deny From All
You may also be able to do that from a .htaccess file.
If you can't configure the server, just use a define at the top of your
index script:
define('__INDEX_PHP',TRUE);
Then just check it with a one-liner at the top of each script that is
for inclusion only.
Tim wrote:
1. My included files "assume" the top file has initiated an instance of an
certain object thus being able to use the resources of the instanced objects
in the top file..(obviously i have the necessary checks to make sure the
instance has been created before including the file)
-Should i be initializing new instances of the object at the top of each
included file to prevent errors from appearing incase someone access the
file directly? Or should i believe it doesn't really matter as in a
production environment display_errors is set to off so no error output will
be shown...
I don't think you ever want include files to be executed in the wrong
context. Just deny access.
If anything, just make an index.php page in each module dir that
contains only "Thanks for visiting this page, but the link you followed
is probably mistyped. Try this instead."
2. what is the assesed security risk if someone access a file directly even
if it does not output anything?
Depends on what the file contains. If it contains this: "`sudo rm -r
$directory/*`", then the results could be disastrous, but let's hope
that it wouldn't contain code like that. :-)
3. is their a way to check that a file has been included by such and such
file or should i develop a hash system where the top page that includes
files generates a hash, stores it in the db for the length of the script and
in a variable, and have the included file check that the variable from the
top file and the hash in the db correspond?
See above "define(...)" bit, which is really based on the old C header
trick:
#ifndef __SOME_FILE_H
#define __SOME_FILE_H
#endif
jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
