Re: [PHP] Insecurity with PHP authorization
I just have just found this article, that describes this technique: http://apachetoday.com/mailprint.php3?action=pv<sn=2000-06-14-002-01-PS#SetEnvIf Thank you all for your help. :-)) S >From: Maxwell Hung <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: [PHP] Insecurity with PHP authorization >Date: Tue, 7 Aug 2001 11:22:33 +0100 (BST) > >Hi Stefan > >You can do this > >#Add this httpd.conf N.B apache > 1.3.12 >SetEnvIfNoCase Referer "^http://www.mysite/"; >local_ref=1 > ># place the following into a .htaccess file in the dir >you wish to protect the files >Options -Indexes > ># change the extensions you want to protect > > Order Allow,Deny > Allow from env=local_ref > > >This will stop and direct requests to files as the env >var will not be set. > >I've used it on my setup and it's fine. As noted above >this will only work with apache > 1.3.12 > >If you get it working could you forward it to the php >list I can't get there through this a/c > >HTH > >M@ > --- Stefen Lars <[EMAIL PROTECTED]> wrote: > >Hello all > > > > I have just implemented a mySQL authorization: each > > html and php page checks > > to see whether a user is logged in by checking a > > cookie in the user browser. > > The user can log out and edit her profile (including > > password). If a page is > > called without the user being logged in, he is > > presented with a log in form. > > This works very well. There is an SSL connection to > > the server. Only a hash > > value of the password is stored in the database. > > > > However, if I directly request a graphic (or a ZIP > > file etc) from the site, > > by entering: > > https://www.myserver.com/photo.jpg for example, I > > can download that file > > without being logged in (naturally). > > > > In the particular *intranet* project that I am > > working on, this is > > particularly undesirable, as only personnel at the > > companys four locations > > may have access to the intranet. And there certainly > > will be a lot of > > confidential ZIP and graphic files placed on the > > server. > > > > I do realize that if I were to place a .htaccess > > file in the root of the > > intranet server, I could prevent the above from > > happening, but then I loose > > the advantage of having the users profile in a > > database, where a user can > > easily change her password. Allowing a web user to > > edit a password in the > > .htaccess file poses more problems than it solves, > > especially as it > > certainly could occur that more than one persons > > wants to edit his password > > simultaneously. > > > > Could anyone suggest a method to allow a user to > > easily edit his password, > > but at the same time, not allow direct access to > > specific non-PHP files on > > the intranet server? > > > > Perhaps one method would be to restrict access to > > the companys four gateway > > servers (IP addresses). However, I feel this is not > > to secure, and these IPs > > could be spoofed (and this does not really solve the > > problem). > > > > Any enlightenment on this subject would be well > > received. > > > > TIA > > > > S. > > > > > > >_ > > Get your FREE download of MSN Explorer at > > http://explorer.msn.com/intl.asp > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > To contact the list administrators, e-mail: > > [EMAIL PROTECTED] > > > > > > > > >Do You Yahoo!? >Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk >or your free @yahoo.ie address at http://mail.yahoo.ie _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Insecurity with PHP authorization
Hello Max Thank you for this interesting idea! I have implemented it on my test server and it seems to do what I want. However, at the moment, I do not fully understand what is happening. However, I will study the Apache docs right now. Thanks! Jonathan >From: Maxwell Hung <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: [PHP] Insecurity with PHP authorization >Date: Tue, 7 Aug 2001 11:22:33 +0100 (BST) > >Hi Stefan > >You can do this > >#Add this httpd.conf N.B apache > 1.3.12 >SetEnvIfNoCase Referer "^http://www.mysite/"; >local_ref=1 > ># place the following into a .htaccess file in the dir >you wish to protect the files >Options -Indexes > ># change the extensions you want to protect > > Order Allow,Deny > Allow from env=local_ref > > >This will stop and direct requests to files as the env >var will not be set. > >I've used it on my setup and it's fine. As noted above >this will only work with apache > 1.3.12 > >If you get it working could you forward it to the php >list I can't get there through this a/c > >HTH > >M@ > --- Stefen Lars <[EMAIL PROTECTED]> wrote: > >Hello all > > > > I have just implemented a mySQL authorization: each > > html and php page checks > > to see whether a user is logged in by checking a > > cookie in the user browser. > > The user can log out and edit her profile (including > > password). If a page is > > called without the user being logged in, he is > > presented with a log in form. > > This works very well. There is an SSL connection to > > the server. Only a hash > > value of the password is stored in the database. > > > > However, if I directly request a graphic (or a ZIP > > file etc) from the site, > > by entering: > > https://www.myserver.com/photo.jpg for example, I > > can download that file > > without being logged in (naturally). > > > > In the particular *intranet* project that I am > > working on, this is > > particularly undesirable, as only personnel at the > > companys four locations > > may have access to the intranet. And there certainly > > will be a lot of > > confidential ZIP and graphic files placed on the > > server. > > > > I do realize that if I were to place a .htaccess > > file in the root of the > > intranet server, I could prevent the above from > > happening, but then I loose > > the advantage of having the users profile in a > > database, where a user can > > easily change her password. Allowing a web user to > > edit a password in the > > .htaccess file poses more problems than it solves, > > especially as it > > certainly could occur that more than one persons > > wants to edit his password > > simultaneously. > > > > Could anyone suggest a method to allow a user to > > easily edit his password, > > but at the same time, not allow direct access to > > specific non-PHP files on > > the intranet server? > > > > Perhaps one method would be to restrict access to > > the companys four gateway > > servers (IP addresses). However, I feel this is not > > to secure, and these IPs > > could be spoofed (and this does not really solve the > > problem). > > > > Any enlightenment on this subject would be well > > received. > > > > TIA > > > > S. > > > > > > >_ > > Get your FREE download of MSN Explorer at > > http://explorer.msn.com/intl.asp > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > To contact the list administrators, e-mail: > > [EMAIL PROTECTED] > > > > > > > > >Do You Yahoo!? >Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk >or your free @yahoo.ie address at http://mail.yahoo.ie _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Insecurity with PHP authorization
> -Original Message- > From: Stefen Lars [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 07, 2001 3:03 AM > To: [EMAIL PROTECTED] > Subject: [PHP] Insecurity with PHP authorization > > > I do realize that if I were to place a .htaccess file in the > root of the intranet server, I could prevent the above from > happening, but then I loose the advantage of having the users > profile in a database, where a user can easily change her > password. Allowing a web user to edit a password in the > .htaccess file poses more problems than it solves, especially > as it certainly could occur that more than one persons wants to > edit his password simultaneously. If you control the server, have you considered something along the lines of mod_auth_mysql (which would allow you to place a .htaccess file that authenticates using the information stored in your mysql database)? I've used it on a few projects here with good results. You can pick up a copy from the "contrib" downloads at mysql.com. --- Mark Roedel ([EMAIL PROTECTED]) | "There cannot be a crisis next week. Systems Programmer / WebMaster | My schedule is already full." LeTourneau University | -- Henry Kissinger -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Insecurity with PHP authorization
Or you could tell your webserver to deny everything except access to redirect.php, this saves you from moving everything to some obscure place... > -Original Message- > From: Michael Mehlmann [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 07, 2001 10:18 AM > To: Stefen Lars > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] Insecurity with PHP authorization > > > If you don't have a very high load, then you could move all not-php-files > out of htdocs-root and use a pseudo-root directory > htdocs/../rawfiles as root > for redirect.php. > For example image.jpg is placed in htdocs/../rawfiles/images then > access it > with /redirect.php?/images/image.jpg ! > redirect.php only checks for authorization and then does a fpassthru! > that won't cost much! > > hth > Michael > > > Hello all > > > > I have just implemented a mySQL authorization: each html and php page > > checks > > to see whether a user is logged in by checking a cookie in the user > > browser. > > The user can log out and edit her profile (including password). > If a page > > is > > called without the user being logged in, he is presented with a log in > > form. > > This works very well. There is an SSL connection to the server. Only a > > hash > > value of the password is stored in the database. > > > > However, if I directly request a graphic (or a ZIP file etc) from the > > site, > > by entering: > > https://www.myserver.com/photo.jpg for example, I can download > that file > > without being logged in (naturally). > > > > In the particular *intranet* project that I am working on, this is > > particularly undesirable, as only personnel at the company’s four > > locations > > may have access to the intranet. And there certainly will be a lot of > > ‘confidential’ ZIP and graphic files placed on the server. > > > > I do realize that if I were to place a .htaccess file in the > root of the > > intranet server, I could prevent the above from happening, but then I > > loose > > the advantage of having the users profile in a database, where > a user can > > easily change her password. Allowing a web user to edit a > password in the > > .htaccess file poses more problems than it solves, especially as it > > certainly could occur that more than one persons wants to edit his > > password > > simultaneously. > > > > Could anyone suggest a method to allow a user to easily edit > his password, > > > > but at the same time, not allow direct access to specific > non-PHP files on > > > > the intranet server? > > > > Perhaps one method would be to restrict access to the > company’s four > > gateway > > servers (IP addresses). However, I feel this is not to secure, and these > > IPs > > could be spoofed (and this does not really solve the problem). > > > > Any enlightenment on this subject would be well received. > > > > TIA > > > > S. > > > > > > _ > > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > > > -- > Aufgepasst - jetzt viele 1&1 New WebHosting Pakete ohne > Einrichtungsgebuehr + 1 Monat Grundgebuehrbefreiung! > http://puretec.de/index.html?ac=OM.PU.PU003K00736T0492a > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Insecurity with PHP authorization
If you don't have a very high load, then you could move all not-php-files out of htdocs-root and use a pseudo-root directory htdocs/../rawfiles as root for redirect.php. For example image.jpg is placed in htdocs/../rawfiles/images then access it with /redirect.php?/images/image.jpg ! redirect.php only checks for authorization and then does a fpassthru! that won't cost much! hth Michael > Hello all > > I have just implemented a mySQL authorization: each html and php page > checks > to see whether a user is logged in by checking a cookie in the user > browser. > The user can log out and edit her profile (including password). If a page > is > called without the user being logged in, he is presented with a log in > form. > This works very well. There is an SSL connection to the server. Only a > hash > value of the password is stored in the database. > > However, if I directly request a graphic (or a ZIP file etc) from the > site, > by entering: > https://www.myserver.com/photo.jpg for example, I can download that file > without being logged in (naturally). > > In the particular *intranet* project that I am working on, this is > particularly undesirable, as only personnel at the company’s four > locations > may have access to the intranet. And there certainly will be a lot of > ‘confidential’ ZIP and graphic files placed on the server. > > I do realize that if I were to place a .htaccess file in the root of the > intranet server, I could prevent the above from happening, but then I > loose > the advantage of having the users profile in a database, where a user can > easily change her password. Allowing a web user to edit a password in the > .htaccess file poses more problems than it solves, especially as it > certainly could occur that more than one persons wants to edit his > password > simultaneously. > > Could anyone suggest a method to allow a user to easily edit his password, > > but at the same time, not allow direct access to specific non-PHP files on > > the intranet server? > > Perhaps one method would be to restrict access to the company’s four > gateway > servers (IP addresses). However, I feel this is not to secure, and these > IPs > could be spoofed (and this does not really solve the problem). > > Any enlightenment on this subject would be well received. > > TIA > > S. > > > _ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- Aufgepasst - jetzt viele 1&1 New WebHosting Pakete ohne Einrichtungsgebuehr + 1 Monat Grundgebuehrbefreiung! http://puretec.de/index.html?ac=OM.PU.PU003K00736T0492a -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]