|
|
Posted by Jerry Stuckle on 06/01/07 11:17
Phil wrote:
> Jerry posed some good ideas, a while back, on website a security issue
> that comes up often. Gary Jones was asking how to keep users from
> directly accessing php pages, out of sequence.
>
> Jerry posed a directory management solution. No one seems to have
> mentioned an alternative. Maybe there is a reason?
>
> We took a different approach, noting that the only way we wanted a
> user to enter some phps would be through a predefined series of steps
> like that posed by Gary Jones. Header information (http_referer, or
> maybe another) is a path check.
>
> If a client request hits, say, step_4-something.php without going
> through steps 1, 2, & 3, the php takes suitable action, maybe posting
> an error message.
>
> Jerry's directory-solution is sound, but maybe we want to prohibit
> someone from going straight to
>
> www.somewebsitecom/nonrootdirectory/step2.php.
>
> This approach seems to work, but can a clever web-crawler or
> programmer get past it?
>
> Thoughts?
>
> Phil
>
>
>>> Newsgroups: comp.lang.php
>>> From: "Garry Jones" <garry.jo...@morack.se>
>>> Date: Wed, 26 Apr 2006 23:53:13 +0200
>>> Local: Wed, Apr 26 2006 3:53 pm
>>> Subject: Prevent loading of php pages
>
>>> I have a website consisting of php segments.
>
>>> Example
>
>>> page1.html calls in code from seg1.php and seg2.php
>
>>> If the user goes directly to www.mydomain.com/seg1.php they see everything
>>> visible to a browser on that page. Can I prevent users from loading individual
>>> php segments.
>
>>> The only time that seg1.php should be visible is in its original context on
>>> page1.html
>
>
>>> Garry Jones
>>> Sweden
>
>
>> Jerry Stuckle wrote:
>
>> The document root id the root directory of your website. But it is not the root
>> directory of your machine. For instance, your document root might be
>> "/var/www/website1/html".
>
>> When you upload them, put them in a directory below the root of your website,
>> i.e. "/var/www/website1/myfiles". You can then include this page in your
>> other PHP pages with something like (assuming Apache):
>
>> include($_SERVER['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');
>
>> Anyone accessing a page through http protocol can only access those files in
>> your web root. But PHP accesses the file system directly, so it can access any
>> file on the system (assuming the appropriate permissions are set).
>
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================
>
http_referer is not reliable. The browser is not required to send it, a
firewall may strip it, or it can easily be faked.
My suggestion just protected pages from being loaded directly; it really
doesn't address your issue.
I think the best way to handle your sequence might be to keep track of
the last page (or pages) visited in the session variable. Not much more
work, and much more accurate.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|