Re: [PHP] Insecurity with PHP authorization
I just have just found this article, that describes this technique: http://apachetoday.com/mailprint.php3?action=pvltsn=2000-06-14-002-01-PS#SetEnvIf Thank you all for your help. :-)) S From: Maxwell Hung [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [PHP] Insecurity with PHP authorization Date: Tue, 7 Aug 2001 11:22:33 +0100 (BST) Hi Stefan You can do this #Add this httpd.conf N.B apache 1.3.12 SetEnvIfNoCase Referer ^http://www.mysite/; local_ref=1 # place the following into a .htaccess file in the dir you wish to protect the files Options -Indexes # change the extensions you want to protect FilesMatch .(doc|zip|xls|flp) Order Allow,Deny Allow from env=local_ref /FilesMatch This will stop and direct requests to files as the env var will not be set. I've used it on my setup and it's fine. As noted above this will only work with apache 1.3.12 If you get it working could you forward it to the php list I can't get there through this a/c HTH M@ --- Stefen Lars [EMAIL PROTECTED] wrote: Hello all I have just implemented a mySQL authorization: each html and php page checks to see whether a user is logged in by checking a cookie in the user browser. The user can log out and edit her profile (including password). If a page is called without the user being logged in, he is presented with a log in form. This works very well. There is an SSL connection to the server. Only a hash value of the password is stored in the database. However, if I directly request a graphic (or a ZIP file etc) from the site, by entering: https://www.myserver.com/photo.jpg for example, I can download that file without being logged in (naturally). In the particular *intranet* project that I am working on, this is particularly undesirable, as only personnel at the companys four locations may have access to the intranet. And there certainly will be a lot of confidential ZIP and graphic files placed on the server. I do realize that if I were to place a .htaccess file in the root of the intranet server, I could prevent the above from happening, but then I loose the advantage of having the users profile in a database, where a user can easily change her password. Allowing a web user to edit a password in the .htaccess file poses more problems than it solves, especially as it certainly could occur that more than one persons wants to edit his password simultaneously. Could anyone suggest a method to allow a user to easily edit his password, but at the same time, not allow direct access to specific non-PHP files on the intranet server? Perhaps one method would be to restrict access to the companys four gateway servers (IP addresses). However, I feel this is not to secure, and these IPs could be spoofed (and this does not really solve the problem). Any enlightenment on this subject would be well received. TIA S. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Insecurity with PHP authorization
Hello all I have just implemented a mySQL authorization: each html and php page checks to see whether a user is logged in by checking a cookie in the user browser. The user can log out and edit her profile (including password). If a page is called without the user being logged in, he is presented with a log in form. This works very well. There is an SSL connection to the server. Only a hash value of the password is stored in the database. However, if I directly request a graphic (or a ZIP file etc) from the site, by entering: https://www.myserver.com/photo.jpg for example, I can download that file without being logged in (naturally). In the particular *intranet* project that I am working on, this is particularly undesirable, as only personnel at the companys four locations may have access to the intranet. And there certainly will be a lot of confidential ZIP and graphic files placed on the server. I do realize that if I were to place a .htaccess file in the root of the intranet server, I could prevent the above from happening, but then I loose the advantage of having the users profile in a database, where a user can easily change her password. Allowing a web user to edit a password in the .htaccess file poses more problems than it solves, especially as it certainly could occur that more than one persons wants to edit his password simultaneously. Could anyone suggest a method to allow a user to easily edit his password, but at the same time, not allow direct access to specific non-PHP files on the intranet server? Perhaps one method would be to restrict access to the companys four gateway servers (IP addresses). However, I feel this is not to secure, and these IPs could be spoofed (and this does not really solve the problem). Any enlightenment on this subject would be well received. TIA S. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Insecurity with PHP authorization
If you don't have a very high load, then you could move all not-php-files out of htdocs-root and use a pseudo-root directory htdocs/../rawfiles as root for redirect.php. For example image.jpg is placed in htdocs/../rawfiles/images then access it with /redirect.php?/images/image.jpg ! redirect.php only checks for authorization and then does a fpassthru! that won't cost much! hth Michael Hello all I have just implemented a mySQL authorization: each html and php page checks to see whether a user is logged in by checking a cookie in the user browser. The user can log out and edit her profile (including password). If a page is called without the user being logged in, he is presented with a log in form. This works very well. There is an SSL connection to the server. Only a hash value of the password is stored in the database. However, if I directly request a graphic (or a ZIP file etc) from the site, by entering: https://www.myserver.com/photo.jpg for example, I can download that file without being logged in (naturally). In the particular *intranet* project that I am working on, this is particularly undesirable, as only personnel at the company#8217;s four locations may have access to the intranet. And there certainly will be a lot of #8216;confidential#8217; ZIP and graphic files placed on the server. I do realize that if I were to place a .htaccess file in the root of the intranet server, I could prevent the above from happening, but then I loose the advantage of having the users profile in a database, where a user can easily change her password. Allowing a web user to edit a password in the .htaccess file poses more problems than it solves, especially as it certainly could occur that more than one persons wants to edit his password simultaneously. Could anyone suggest a method to allow a user to easily edit his password, but at the same time, not allow direct access to specific non-PHP files on the intranet server? Perhaps one method would be to restrict access to the company#8217;s four gateway servers (IP addresses). However, I feel this is not to secure, and these IPs could be spoofed (and this does not really solve the problem). Any enlightenment on this subject would be well received. TIA S. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Aufgepasst - jetzt viele 11 New WebHosting Pakete ohne Einrichtungsgebuehr + 1 Monat Grundgebuehrbefreiung! http://puretec.de/index.html?ac=OM.PU.PU003K00736T0492a -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Insecurity with PHP authorization
Or you could tell your webserver to deny everything except access to redirect.php, this saves you from moving everything to some obscure place... -Original Message- From: Michael Mehlmann [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 07, 2001 10:18 AM To: Stefen Lars Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Insecurity with PHP authorization If you don't have a very high load, then you could move all not-php-files out of htdocs-root and use a pseudo-root directory htdocs/../rawfiles as root for redirect.php. For example image.jpg is placed in htdocs/../rawfiles/images then access it with /redirect.php?/images/image.jpg ! redirect.php only checks for authorization and then does a fpassthru! that won't cost much! hth Michael Hello all I have just implemented a mySQL authorization: each html and php page checks to see whether a user is logged in by checking a cookie in the user browser. The user can log out and edit her profile (including password). If a page is called without the user being logged in, he is presented with a log in form. This works very well. There is an SSL connection to the server. Only a hash value of the password is stored in the database. However, if I directly request a graphic (or a ZIP file etc) from the site, by entering: https://www.myserver.com/photo.jpg for example, I can download that file without being logged in (naturally). In the particular *intranet* project that I am working on, this is particularly undesirable, as only personnel at the company#8217;s four locations may have access to the intranet. And there certainly will be a lot of #8216;confidential#8217; ZIP and graphic files placed on the server. I do realize that if I were to place a .htaccess file in the root of the intranet server, I could prevent the above from happening, but then I loose the advantage of having the users profile in a database, where a user can easily change her password. Allowing a web user to edit a password in the .htaccess file poses more problems than it solves, especially as it certainly could occur that more than one persons wants to edit his password simultaneously. Could anyone suggest a method to allow a user to easily edit his password, but at the same time, not allow direct access to specific non-PHP files on the intranet server? Perhaps one method would be to restrict access to the company#8217;s four gateway servers (IP addresses). However, I feel this is not to secure, and these IPs could be spoofed (and this does not really solve the problem). Any enlightenment on this subject would be well received. TIA S. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Aufgepasst - jetzt viele 11 New WebHosting Pakete ohne Einrichtungsgebuehr + 1 Monat Grundgebuehrbefreiung! http://puretec.de/index.html?ac=OM.PU.PU003K00736T0492a -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Insecurity with PHP authorization
-Original Message- From: Stefen Lars [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 07, 2001 3:03 AM To: [EMAIL PROTECTED] Subject: [PHP] Insecurity with PHP authorization I do realize that if I were to place a .htaccess file in the root of the intranet server, I could prevent the above from happening, but then I loose the advantage of having the users profile in a database, where a user can easily change her password. Allowing a web user to edit a password in the .htaccess file poses more problems than it solves, especially as it certainly could occur that more than one persons wants to edit his password simultaneously. If you control the server, have you considered something along the lines of mod_auth_mysql (which would allow you to place a .htaccess file that authenticates using the information stored in your mysql database)? I've used it on a few projects here with good results. You can pick up a copy from the contrib downloads at mysql.com. --- Mark Roedel ([EMAIL PROTECTED]) | There cannot be a crisis next week. Systems Programmer / WebMaster | My schedule is already full. LeTourneau University | -- Henry Kissinger -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Insecurity with PHP authorization
Hello Max Thank you for this interesting idea! I have implemented it on my test server and it seems to do what I want. However, at the moment, I do not fully understand what is happening. However, I will study the Apache docs right now. Thanks! Jonathan From: Maxwell Hung [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [PHP] Insecurity with PHP authorization Date: Tue, 7 Aug 2001 11:22:33 +0100 (BST) Hi Stefan You can do this #Add this httpd.conf N.B apache 1.3.12 SetEnvIfNoCase Referer ^http://www.mysite/; local_ref=1 # place the following into a .htaccess file in the dir you wish to protect the files Options -Indexes # change the extensions you want to protect FilesMatch .(doc|zip|xls|flp) Order Allow,Deny Allow from env=local_ref /FilesMatch This will stop and direct requests to files as the env var will not be set. I've used it on my setup and it's fine. As noted above this will only work with apache 1.3.12 If you get it working could you forward it to the php list I can't get there through this a/c HTH M@ --- Stefen Lars [EMAIL PROTECTED] wrote: Hello all I have just implemented a mySQL authorization: each html and php page checks to see whether a user is logged in by checking a cookie in the user browser. The user can log out and edit her profile (including password). If a page is called without the user being logged in, he is presented with a log in form. This works very well. There is an SSL connection to the server. Only a hash value of the password is stored in the database. However, if I directly request a graphic (or a ZIP file etc) from the site, by entering: https://www.myserver.com/photo.jpg for example, I can download that file without being logged in (naturally). In the particular *intranet* project that I am working on, this is particularly undesirable, as only personnel at the companys four locations may have access to the intranet. And there certainly will be a lot of confidential ZIP and graphic files placed on the server. I do realize that if I were to place a .htaccess file in the root of the intranet server, I could prevent the above from happening, but then I loose the advantage of having the users profile in a database, where a user can easily change her password. Allowing a web user to edit a password in the .htaccess file poses more problems than it solves, especially as it certainly could occur that more than one persons wants to edit his password simultaneously. Could anyone suggest a method to allow a user to easily edit his password, but at the same time, not allow direct access to specific non-PHP files on the intranet server? Perhaps one method would be to restrict access to the companys four gateway servers (IP addresses). However, I feel this is not to secure, and these IPs could be spoofed (and this does not really solve the problem). Any enlightenment on this subject would be well received. TIA S. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]