|
|
Posted by Jerry Stuckle on 06/01/07 15:48
Phil wrote:
> On Jun 1, 5:17 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> Phil wrote:
>>> Jerry posed some good ideas, a while back, on website a security issue
>>> that comes up often. Gary Jones was asking how to keep users from
>>> directly accessing php pages, out of sequence.
>>> Jerry posed a directory management solution. No one seems to have
>>> mentioned an alternative. Maybe there is a reason?
>>> We took a different approach, noting that the only way we wanted a
>>> user to enter some phps would be through a predefined series of steps
>>> like that posed by Gary Jones. Header information (http_referer, or
>>> maybe another) is a path check.
>>> If a client request hits, say, step_4-something.php without going
>>> through steps 1, 2, & 3, the php takes suitable action, maybe posting
>>> an error message.
>>> Jerry's directory-solution is sound, but maybe we want to prohibit
>>> someone from going straight to
>>> www.somewebsitecom/nonrootdirectory/step2.php.
>>> This approach seems to work, but can a clever web-crawler or
>>> programmer get past it?
>>> Thoughts?
>>> Phil
>>>>> Newsgroups: comp.lang.php
>>>>> From: "Garry Jones" <garry.jo...@morack.se>
>>>>> Date: Wed, 26 Apr 2006 23:53:13 +0200
>>>>> Local: Wed, Apr 26 2006 3:53 pm
>>>>> Subject: Prevent loading of php pages
>>>>> I have a website consisting of php segments.
>>>>> Example
>>>>> page1.html calls in code from seg1.php and seg2.php
>>>>> If the user goes directly towww.mydomain.com/seg1.phpthey see everything
>>>>> visible to a browser on that page. Can I prevent users from loading individual
>>>>> php segments.
>>>>> The only time that seg1.php should be visible is in its original context on
>>>>> page1.html
>>>>> Garry Jones
>>>>> Sweden
>>>> Jerry Stuckle wrote:
>>>> The document root id the root directory of your website. But it is not the root
>>>> directory of your machine. For instance, your document root might be
>>>> "/var/www/website1/html".
>>>> When you upload them, put them in a directory below the root of your website,
>>>> i.e. "/var/www/website1/myfiles". You can then include this page in your
>>>> other PHP pages with something like (assuming Apache):
>>>> include($_SERVER['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');
>>>> Anyone accessing a page through http protocol can only access those files in
>>>> your web root. But PHP accesses the file system directly, so it can access any
>>>> file on the system (assuming the appropriate permissions are set).
>>>> ==================
>>>> Remove the "x" from my email address
>>>> Jerry Stuckle
>>>> JDS Computer Training Corp.
>>>> jstuck...@attglobal.net
>>>> ==================
>> http_referer is not reliable. The browser is not required to send it, a
>> firewall may strip it, or it can easily be faked.
>>
>> My suggestion just protected pages from being loaded directly; it really
>> doesn't address your issue.
>>
>> I think the best way to handle your sequence might be to keep track of
>> the last page (or pages) visited in the session variable. Not much more
>> work, and much more accurate.
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================- Hide quoted text -
>>
>> - Show quoted text -
>
> Jerry:
>
> Even better. Thank you.
>
> Phil
>
>
> P.s. Does $_SERVER["HTTP_REFERER"] get stripped or can it be faked?
>
>
Either can happen. It's just a field sent by the browser. The browser
can decide to send it or not, or it can be stripped by a firewall. And
it can easily be faked.
Never trust anything sent by the user!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|