Re: [PHP] Deny processing of non included files
Easy answer: deny access to them. Use your web server to prevent
execution of the files. Generally, if you're using Apache, you can just
do this:
Directory /path/to/modules/
Order Allow,Deny
Deny From All
/Directory
You may also be able to do that from a .htaccess file.
If you can't configure the server, just use a define at the top of your
index script:
define('__INDEX_PHP',TRUE);
Then just check it with a one-liner at the top of each script that is
for inclusion only.
Tim wrote:
1. My included files assume the top file has initiated an instance of an
certain object thus being able to use the resources of the instanced objects
in the top file..(obviously i have the necessary checks to make sure the
instance has been created before including the file)
-Should i be initializing new instances of the object at the top of each
included file to prevent errors from appearing incase someone access the
file directly? Or should i believe it doesn't really matter as in a
production environment display_errors is set to off so no error output will
be shown...
I don't think you ever want include files to be executed in the wrong
context. Just deny access.
If anything, just make an index.php page in each module dir that
contains only Thanks for visiting this page, but the link you followed
is probably mistyped. Try a href=\$document_root\this/a instead.
2. what is the assesed security risk if someone access a file directly even
if it does not output anything?
Depends on what the file contains. If it contains this: `sudo rm -r
$directory/*`, then the results could be disastrous, but let's hope
that it wouldn't contain code like that. :-)
3. is their a way to check that a file has been included by such and such
file or should i develop a hash system where the top page that includes
files generates a hash, stores it in the db for the length of the script and
in a variable, and have the included file check that the variable from the
top file and the hash in the db correspond?
See above define(...) bit, which is really based on the old C header
trick:
#ifndef __SOME_FILE_H
#define __SOME_FILE_H
a bunch of stuff
#endif
jon
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Deny processing of non included files
-Message d'origine-
De : Jon Anderson [mailto:[EMAIL PROTECTED]
Envoyé : jeudi 15 février 2007 17:11
À : Tim
Cc : 'php-general'
Objet : Re: [PHP] Deny processing of non included files
Easy answer: deny access to them. Use your web server to
prevent execution of the files. Generally, if you're using
Apache, you can just do this:
Directory /path/to/modules/
Order Allow,Deny
Deny From All
/Directory
Great i'll go the .htaccess way i don't need any files accesible through the
browser other then http://thissite/index.php and
http://thissite/admin/index.php.
You may also be able to do that from a .htaccess file.
If you can't configure the server, just use a define at the
top of your index script:
define('__INDEX_PHP',TRUE);
Then just check it with a one-liner at the top of each script
that is for inclusion only.
Tim wrote:
1. My included files assume the top file has initiated an
instance
of an certain object thus being able to use the resources of the
instanced objects in the top file..(obviously i have the necessary
checks to make sure the instance has been created before
including the
file) -Should i be initializing new instances of the object
at the top
of each included file to prevent errors from appearing
incase someone
access the file directly? Or should i believe it doesn't
really matter
as in a production environment display_errors is set to off so no
error output will be shown...
I don't think you ever want include files to be executed in
the wrong context. Just deny access.
Sure that's what i thought but couldn't get it to work you put me on the
right track with the directory directive.
If anything, just make an index.php page in each module dir
that contains only Thanks for visiting this page, but the
link you followed is probably mistyped. Try a
href=\$document_root\this/a instead.
Well i do have a blank index.html in ALL directories to stop directory
listing..
2. what is the assesed security risk if someone access a
file directly
even if it does not output anything?
Depends on what the file contains. If it contains this:
`sudo rm -r $directory/*`, then the results could be
disastrous, but let's hope that it wouldn't contain code like
that. :-)
3. is their a way to check that a file has been included by
such and
such file or should i develop a hash system where the top page that
includes files generates a hash, stores it in the db for
the length of
the script and in a variable, and have the included file check that
the variable from the top file and the hash in the db correspond?
See above define(...) bit, which is really based on the old C header
trick:
#ifndef __SOME_FILE_H
#define __SOME_FILE_H
a bunch of stuff
#endif
Ok lets just deny access :)
Thanks a bunch ;)
Tim
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Deny processing of non included files
At 4:44 PM +0100 2/15/07, Tim wrote: OK here is the background: My app will: have an admin access at http://sitename/admin/ Obviously authenticated users only are allowed access.. Now my issues is this, i do all the processing from a single index.php in admin/ folder that includes files from all over the webapp directory structure for example modules/thismodule/admin/index.php folder for getting the admin page for the module or modules/thismodule/index.php for displaying the modules in the public part of the page etc.. You get the picture.. What i want is to restrict acces to all these included php files such that by typing http://sitename/modules/thismodule/admin/index.php, this file will only be processed by the browser if and only if it has been included by http://sitename/admin/index.php NO included php file should be able to be processed by itself or accessed even for files that do not output anything.. So essentially i think i may be doing somethings wrong.. 1. My included files assume the top file has initiated an instance of an certain object thus being able to use the resources of the instanced objects in the top file..(obviously i have the necessary checks to make sure the instance has been created before including the file) -Should i be initializing new instances of the object at the top of each included file to prevent errors from appearing incase someone access the file directly? Or should i believe it doesn't really matter as in a production environment display_errors is set to off so no error output will be shown... 2. what is the assesed security risk if someone access a file directly even if it does not output anything? 3. is their a way to check that a file has been included by such and such file or should i develop a hash system where the top page that includes files generates a hash, stores it in the db for the length of the script and in a variable, and have the included file check that the variable from the top file and the hash in the db correspond? Security is driving me insane i'm becoming totally psychotic at the possiblity of someone taking over my admin systems... Regards, Tim Tim: Use require_once (auth.php); in every include. This should be the same auth code you use for your admin page. If you want I can provide an example. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Deny processing of non included files
Ok i have actually discovered a great side-effect that i thought i'd share
with any interested by using these .htaccess directives.
As i only have two index.php files on the site and they are the only two
files accesible through browser i have done this:
Files *.*
Order Deny,Allow
Deny from All
/Files
Files index.php
Order Deny,Allow
Allow from All
/Files
Files *.css
Order Deny,Allow
Allow from All
/Files
Now the great side affect i told you about is that you cannot blind check
the presence of *.php files in any directory any you file you look for
regardless if it exists returns a 403 forbidden, so it is impossible to find
the structure of the site...
You can though test for directories.
These directives along with a site that uses index.php as an engine to
generate content via includes, are great for really restricing site access
(of course this does not mean my includes don't have holes but thats another
issue) on top of a regular authentication. And makes it easier for my own
authentication system as i only have to authenticate through one file
index.php thus not needing any authentication on any of the included files
as suggested, and not needing to worry about that test.php file that got
forgotten during dev or something, or even a user uploading a $.php file i
dont want him to execute..
Thanks guys,
Regards,
Tim
-Message d'origine-
De : Jon Anderson [mailto:[EMAIL PROTECTED]
Envoyé : jeudi 15 février 2007 17:11
À : Tim
Cc : 'php-general'
Objet : Re: [PHP] Deny processing of non included files
Easy answer: deny access to them. Use your web server to
prevent execution of the files. Generally, if you're using
Apache, you can just do this:
Directory /path/to/modules/
Order Allow,Deny
Deny From All
/Directory
You may also be able to do that from a .htaccess file.
If you can't configure the server, just use a define at the
top of your index script:
define('__INDEX_PHP',TRUE);
Then just check it with a one-liner at the top of each script
that is for inclusion only.
Tim wrote:
1. My included files assume the top file has initiated an
instance
of an certain object thus being able to use the resources of the
instanced objects in the top file..(obviously i have the necessary
checks to make sure the instance has been created before
including the
file) -Should i be initializing new instances of the object
at the top
of each included file to prevent errors from appearing
incase someone
access the file directly? Or should i believe it doesn't
really matter
as in a production environment display_errors is set to off so no
error output will be shown...
I don't think you ever want include files to be executed in
the wrong context. Just deny access.
If anything, just make an index.php page in each module dir
that contains only Thanks for visiting this page, but the
link you followed is probably mistyped. Try a
href=\$document_root\this/a instead.
2. what is the assesed security risk if someone access a
file directly
even if it does not output anything?
Depends on what the file contains. If it contains this:
`sudo rm -r $directory/*`, then the results could be
disastrous, but let's hope that it wouldn't contain code like
that. :-)
3. is their a way to check that a file has been included by
such and
such file or should i develop a hash system where the top page that
includes files generates a hash, stores it in the db for
the length of
the script and in a variable, and have the included file check that
the variable from the top file and the hash in the db correspond?
See above define(...) bit, which is really based on the old C header
trick:
#ifndef __SOME_FILE_H
#define __SOME_FILE_H
a bunch of stuff
#endif
jon
--
PHP General Mailing List (http://www.php.net/) To
unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Deny processing of non included files
On Thu, February 15, 2007 9:44 am, Tim wrote: typing http://sitename/modules/thismodule/admin/index.php, this file will only be processed by the browser if and only if it has been included by http://sitename/admin/index.php One simple way to be sure it's not access directly by the browser is to just MOVE it out of the web tree and set up your include_path to include the new location. Then it can't be surfed to AT ALL, much less executed as PHP code. file directly? Or should i believe it doesn't really matter as in a production environment display_errors is set to off so no error output will be shown... Hmmm. Random bits of code being executed completely out of sequence in ways you've never even imaginged, much less tested. I don't think that's something you want to ignore, personally... 2. what is the assesed security risk if someone access a file directly even if it does not output anything? What does the file contain? exec(rm -rf /); mysql_query($_GET['query']); include $file; Hopefully you have nothing that blatantly wrong in your PHP. Unfortunately, you probably DO have something much more subtle somewhere in your PHP code, for any large project. I'd say the risk is fairly low, but the CONSEQUENCES are immeasurable. Given that it's trivial to move the files and set up include_path, I'd recommend you just fix it. 3. is their a way to check that a file has been included by such and such file or should i develop a hash system where the top page that includes files generates a hash, stores it in the db for the length of the script and in a variable, and have the included file check that the variable from the top file and the hash in the db correspond? You could do all that as well... Or, possibly, simply write robust code that errors out if more normal things are out of whack, like the DB object you expected to be created at the beginning. For that matter, your script should error out gracefully if, in the MIDDLE of your script, the DB process DIES. It's amazing how many PHP scripts don't have even rudimentary checking on their result, and just assume the DB is still there, just because mysql_connect( )succeeded at the beginning. Bad News: The DB could easily go down AFTER mysql_connect() but before you actually do anything useful. Your PHP code should handle that. Security is driving me insane i'm becoming totally psychotic at the possiblity of someone taking over my admin systems... But are you paranoid enough? :-) You are now in a normal state of security-conciousness. Learn to accept it, embrace it even. MUST READ: http://phpsec.org/ -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Deny processing of non included files
On Thu, February 15, 2007 10:11 am, Jon Anderson wrote: Easy answer: deny access to them. Use your web server to prevent execution of the files. Generally, if you're using Apache, you can just do this: Directory /path/to/modules/ Order Allow,Deny Deny From All /Directory You may also be able to do that from a .htaccess file. It's easy to get bit by this if you move your application over, and forget to include the .htaccess file in your tarball, as: tar -cvf export.tar * does NOT include .htaccess file :-( I've had it happen. I was lucky enough that the whole thing didn't work, as there were other .htaccess settings that made it immediately apparent things were not right. But if all you have in .htaccess is the blockage of the PHP scripts you don't want exposed, you could all too easily mess this up in a server move. There is no real reason for the include files to be in the web tree at all. They are NOT web documents, there should never be a URL that resolves to them, for anybody. Just move them out from the web tree completely, and breathe easier is my advice. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
