|
|
Posted by Kit DeKat on 05/11/05 07:03
I recently discovered a php method to hide text-based files from remote
users while allowing access to your internal pages and scripts. You can
take advantage of this technique as well to protect your artistic rights:
There are two variants: one for php scriptss and their included counterparts
and another for 'stand-alone' files that are refered to within your own html
-- such as *.css and *.js that can be link'd or src'd via html tags
--------------------------------------
PHP SCRIPTs:
master pages: (index.php, gallery.php, ...)
<?php
// this is placed before any other includes
define('SOME_CONSTANT','secret_string');
?>
included pages: (header.php, menu.php, ...)
<?php
// this is placed before any other includes
require_once('include_path/check_constant.inc');
?>
'include_path/check_constant.inc':
<?php
/*
* PHP Internal Inclusion Verification v1.0
* Author: Tim Maynard, aka: Kit DeKat (kitdekat) (c)09-MAY-2005
* E-mail: kitdekat@kitdekat.com
*/
$const = get_defined_constants();
if( !isset($const["SOME_CONSTANT"]) ||
($const["SOME_CONSTANT"] != 'secret_string') )
{
header('Status: 404 Not Found');
header('HTTP/1.1 404 Not Found');
// the following is my path to the standard Apache2 error
documents which
// i feel that the standard docs are the best to hide that fact
that the
// file was ever there, versus a custom error implying you're
covering it
readfile('http://'.$_SERVER["SERVER_NAME"].'/error/HTTP_NOT_FOUND.html.var');
exit();
}
?>
--------------------------------------
This should hide all the includes, configs, etc.. files that you have
lying around.
I should hope that you already have the following somewhere in your
http.conf
file to protect from direct-remote downloads -- this snippet will
protect against
files ending in '.inc' and '.inc.php', modify to suit your site:
<Files ~ "\.inc(\.php)?$">
Order allow,deny
Deny from all
Satisfy All
</Files>
--------------------------------------
CSS and JS files:
First, you will need to tell php to parse these files, which can be done
again by
editing your httpd.conf files to add the extensions desired to the php list:
AddType application/x-httpd-php .php .phtml .php3 .css .js
You will take a performance hit for adding the parser to more pages, but
I think its worth the gain in security and your general sanity and
well-being.
now that php is parsing these files, add the following to the top of each:
<?php
/*
* PHP Internal Inclusion Verification v1.0
* Author: Tim Maynard, aka: Kit DeKat (kitdekat) (c)09-MAY-2005
* E-mail: kitdekat@kitdekat.com
*/
if( !isset( $_SERVER["HTTP_REFERER"]) ||
!strpos($_SERVER["HTTP_REFERER"],$_SERVER["SERVER_NAME"]) )
{
header('Status: 404 Not Found');
header('HTTP/1.1 404 Not Found');
readfile('http://'.$_SERVER["SERVER_NAME"].'/error/HTTP_NOT_FOUND.html.var');
exit();
}
?>
This is very similar code to the php-scripts, but the change is that it
is not looking for
the constant anymore (since that doesn't exist once the page is in hte
browser), but
makes sure that the server calling the file is itself and not a remote
call from an address bar.
Navigation:
[Reply to this message]
|