Page 1 of 3 123 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    18
    Placing a file below doc root is an additional precaution. Normally, as long as the file has a .php extension it would be parsed before being sent to the browser and therefore safe. However, in the unlikely event that something untoward happens to the web server that causes php scripts not to be parsed, then the code could be seen via a http request. Please note, I've never heard of this actually happening and if it did would most likely be human error.

    The bigger security threat would be other users on a shared system without safe mode enabled as they could use Apache to read your files no matter where they are placed.

    Changing the permissions wouldn't work as Apache still has to be able to read the file for it to work. Placing a .htaccess file would help as that would not prevent a php script from accessing the file but would prevent a direct http request (assuming there is no valid user at all allowed). However, it will not prevent access by other users.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    68
    Rep Power
    14
    Thanks for your time and reply.

    Originally posted by rod k
    Placing a file below doc root is an additional precaution.
    The problem is that I can't, FTP says 550 Permission denied.

    Normally, as long as the file has a .php extension it would be parsed before being sent to the browser and therefore safe. However, in the unlikely event that something untoward happens to the web server that causes php scripts not to be parsed, then the code could be seen via a http request. Please note, I've never heard of this actually happening and if it did would most likely be human error.
    I have seen that in a vBulletin once...

    The bigger security threat would be other users on a shared system without safe mode enabled as they could use Apache to read your files no matter where they are placed.
    I have heard that before but I still am left wondering... Even if a user on the same server can access the file, how can he READ its contents? I have tried and I wasn't able to...

    Changing the permissions wouldn't work as Apache still has to be able to read the file for it to work. Placing a .htaccess file would help as that would not prevent a php script from accessing the file but would prevent a direct http request (assuming there is no valid user at all allowed). However, it will not prevent access by other users. [/B]
    What would I have to put in the .htaccess file?
  4. #3
  5. No Profile Picture
    Just a kid
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Location
    Canada
    Posts
    105
    Rep Power
    12
    Here's a tip, What I do with my sensitive PHP files is very basic, And add's alot of security[Added 03/08/2003] from stupid people(Such as myself, As everyone thinks.) that all they know how to do is include a file.[/added] But it does not make it 100% secure..

    Since most of the things that may be able to access it is another PHP file, I would have added in:

    PHP Code:
     if(eregi("configuration.php","$REQUEST_URI")){die("Please no attemptive hacking."); } 
    So if someone is using a "file-viewing" script and just used basic GET(HTTP) and Include(PHP) commands they could use this:

    hack.php?file=../../anotherusername/private/configuration.php


    and it could output the file, but with the little code I provided up there, it will spot the configuration.php and it will die upon load.



    Just a simple tip.
    Last edited by LavaCube; March 8th, 2003 at 02:12 AM.
    [ lavacube ]

    My Personal Site[greyDistortion]

    PHP version: 4.3.8
    MySQL version: 4.0.21
    Operating System (OS): SuSE Linux 9.1
    Apache version: 2.0.50
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    68
    Rep Power
    14
    your tip is interesting but I am not quite sure I understand it...

    first of all how could somebody access the sensitive page with:
    hack.php?file=../../anotherusername/private/configuration.php
    ???

    also:
    do you add that eregi code to all the sensitive pages you have?
    if yes, won't that prevent the file to be accessed by the script who uses that file?
    why do you say it is no 100% secure? if you say so you can probably let us know what hacking method we are forgetting...
  8. #5
  9. No Profile Picture
    Just a kid
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Location
    Canada
    Posts
    105
    Rep Power
    12
    I'm guessing I wasn't really sure about what I said, So I will try to explain it again.

    Lets say someone on the same server as you made a file called "hack.php" and put this code inside it:
    PHP Code:
    <?php 
    include("$file"); 
    ?>
    they could then (If PHP isn't running in Safe mode, Remember this is just an example.) browse to their page and type in:
    hack.php?file=../../(yourusername)/web/configuration.php


    it would normally include the file, wouldn't it?

    Not with this script in the top of that sensitive information:
    PHP Code:
    <?php 
    if(eregi("configuration.php","$REQUEST_URI")){die("Please no attemptive hacking.");} 
    ?>

    it will then look at what's typed in the URL bar, After the first slash. So lets say the file is being included from:
    http://blahblah.com/hack.php?file=../../(yourusername)/web/configuration.php

    The script would grab the:
    hack.php?file=../../(yourusername)/web/configuration.php


    And if it finds the filename "configuration.php" it will then print what is in the "die" function, SO all the person trying to hack in would see is:

    Please no attemptive hacking.






    Hopefully that cleared that up a bit more... I haven't been to bed for a couple days, And I'm not coping too well with it.
    [ lavacube ]

    My Personal Site[greyDistortion]

    PHP version: 4.3.8
    MySQL version: 4.0.21
    Operating System (OS): SuSE Linux 9.1
    Apache version: 2.0.50
  10. #6
  11. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    18
    The problem is that I can't, FTP says 550 Permission denied.
    I understand that. I would speak to my host about that if I were you. The really should be providing at least one level pre doc root for you.

    Even if a user on the same server can access the file, how can he READ its contents?
    All he has to do is use opendir() and readdir() to see what files are in your directory. Then use some of the filesystem functions to read those files.

    What would I have to put in the .htaccess file?
    Deny from all

    add's alot of security
    No it doesn't. They're not going to include() your file but read it as I described above, in which case your php code isn't going to get execurted.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    68
    Rep Power
    14
    Is there any way I can test this hack of yours because I still quite don't get how that call would show me the content of the file without your anti-hack code...

    I am asking my host about it. If they say no, do I have any other possibility to make it safe?

    Wold "deny from all" solve the problem but still allow the script to access the file?
  14. #8
  15. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    18
    without your anti-hack code...
    I didn't give you any "anti-hack" code. And I'm not going to post here how to do it.. no sense helping some script kiddie even if it is easy to do.

    Wold "deny from all" solve the problem but still allow the script to access the file?
    It would solve the problem of someone from accessing scripts directly via http. It would not solve the problem of another user on the server from accessing it.

    There are only two ways to prevent another user on the same server from accessing your script. 1) run PHP in safe mode, 2) encode your script with Zend Encoder or Ioncube.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    68
    Rep Power
    14
    Just to clarify, I am not trying to hack into somebody's site, I am trying to avoid somebody hacking into mine...
  18. #10
  19. No Profile Picture
    Just a kid
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Location
    Canada
    Posts
    105
    Rep Power
    12
    About that Zend encoder, There is a way to decode it still, So I don't see how it would help the situtaion at hand.
    [ lavacube ]

    My Personal Site[greyDistortion]

    PHP version: 4.3.8
    MySQL version: 4.0.21
    Operating System (OS): SuSE Linux 9.1
    Apache version: 2.0.50
  20. #11
  21. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    18
    Zend encoder, There is a way to decode it
    Really? Tell us how.
  22. #12
  23. No Profile Picture
    Just a kid
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Location
    Canada
    Posts
    105
    Rep Power
    12
    I'm not saying I know how exactly, But since it has to be lets say "encrypted" it obviously has to be "decrypted" on runtime... Unless there's another plugin for PHP, but then there's just a big huge mess trying to get it setup with your host.

    Not to mention, All it does is encodes it into a different format, PHP is application/x-httpd-php and all the damn thing does is encode it in a different format, Doesn't help too much now does it?
    Last edited by LavaCube; March 5th, 2003 at 05:43 AM.
    [ lavacube ]

    My Personal Site[greyDistortion]

    PHP version: 4.3.8
    MySQL version: 4.0.21
    Operating System (OS): SuSE Linux 9.1
    Apache version: 2.0.50
  24. #13
  25. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    18
    But since it has to be lets say "encrypted" it obviously has to be "decrypted" on runtime
    This is your first wrong assumption. Zend and Ioncube use "compiled code encoding". The source code is completely gone. While not 100% secure, getting the original PHP source requires decoding (not decrypting) and decompiling. Far beyond the capabilities of most.

    then there's just a big huge mess trying to get it setup with your host
    Yes, the Zend Encoder requires the Zend Optimizer (which many hosts already run) but the Ioncube loader can be loaded dynamically.

    All it does is encodes it into a different format
    Wrong.

    Doesn't help too much now does it?
    Your ignorance is typical of many. You just keep using your little eregi() line in your script thinking you are doing some good, but don't give advice to others on things you know nothing about. Next thing you'll be telling people that code obfuscators and source encoders are just as good as ZE and Ioncube.

    The best solution is to only use a host that runs safe mode, or use your own server. Barring that, the ZE or Ioncube are the only solutions.
  26. #14
  27. No Profile Picture
    Just a kid
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2002
    Location
    Canada
    Posts
    105
    Rep Power
    12
    You really are pathetic aren't you? You have to "diss" a "kid" in order to make yourself feel big. Typical loser in my eyes.
    [ lavacube ]

    My Personal Site[greyDistortion]

    PHP version: 4.3.8
    MySQL version: 4.0.21
    Operating System (OS): SuSE Linux 9.1
    Apache version: 2.0.50
  28. #15
  29. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    18
    If you come into a public forum and give people VERY bad advice, you better expect to have it pointed out.

    As to being dissed, you better read the thread again and decide who dissed whom first.

    As to being a kid, it's irrelevent, but I had no idea what your age was until you brought it up in your most recent post. You needn't have bothered stating so specifically, since your "pout" makes it quite obvious what your emotional age is.
Page 1 of 3 123 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo