Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / PHP security

Author
Message
AlexI
19
Years of Service
User Offline
Joined: 31st Dec 2004
Location: UK
Posted: 31st Oct 2006 20:20
Link
How can i add some security to php so that it cant access (read, modify or write) any file above the web directory.

So it cant go above:



Back to top
Profile PM
PowerSoft
20
Years of Service
User Offline
Joined: 10th Oct 2004
Location: United Kingdom
Posted: 31st Oct 2006 20:53
Link
.htaccess files, and Apache config (I'll presume its Apache as you haven't specified...)

Back to top
Profile PM Email Website
Chris Franklin
19
Years of Service
User Offline
Joined: 2nd Aug 2005
Location: UK
Posted: 31st Oct 2006 21:05
Link
why not read? then noone can read it from outside the control panel just use permissions

My nvidia compo entry
Back to top
Profile PM Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 31st Oct 2006 22:02
Link
Quote: "How can i add some security to php so that it cant access (read, modify or write) any file above the web directory."

Learn not to program in a way which allows hackers do get code into your site (XSS, Injection, etc).

Alternatively, you could host the site on a seperate drive. Alternatively you could use an OS with far fewer security holes (like linux )

[center]
Back to top
Profile PM Email Website
AlexI
19
Years of Service
User Offline
Joined: 31st Dec 2004
Location: UK
Posted: 31st Oct 2006 23:02 Edited at: 31st Oct 2006 23:05
Link
i am trying to setup a shared host, with me and my freind. But he showed me this php script he uploaded it and it could see every file on my hard drive I really need to find a way to not let it go out of the web directory.

I am using Apache,PHP,MY SQL and open ssl

any help apreciated,
Alex


Back to top
Profile PM
adr
21
Years of Service
User Offline
Joined: 21st May 2003
Location: Job Centre
Posted: 1st Nov 2006 00:43 Edited at: 1st Nov 2006 00:48
Link
Quote: "But he showed me this php script he uploaded it and it could see every file on my hard drive"

Well... what did you expect? If you don't want that script to see all your files - don't have it stored on the server! It's quite simple really...

If a hacker is at the stage where they can upload files to your server, then it's too late - there's no amount of MySQL/Apache/FileSystem based security that will prevent someone from trashing your server if they guess your FTP password :S

There are two kinds of security you need to implement. chroot jails and general file permissions. the chroot jail will stop me uploading files to directories outside my designated area.

File permissions will get you half way to what you want to achieve - i.e. stopping someone reading /home/alex from their web application.

I can read files outside of my public_html directory. Like the /etc/ directory and such. However, I cannot read someone else's home or public_html directory because the host has spent a lot of time permissioning the whole system correctly.

The answer does not lie in restricting what scripts can do, it's configuring your file permissions, users and groups properly.

Something tells me you're trying to run before you can walk...

[center]
game dev ... is like a bouncy castle full of breasts - VanB
Back to top
Profile PM Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 1st Nov 2006 01:09
Link
Quote: "chroot"

Can that be done on a windows "server"? I thought chroot was a linux thing?

Quote: "Something tells me you're trying to run before you can walk..."

something told everyone

Fair enough, everyone has to learn somewhere... However, Hi!, so far this week you've been asking about webserver admin and DNS hosting. To kind of make matters worse - I get the impressions you're trying to do all this with a live server?
Possibly bite a little less off - it makes chewing easier.

[center]
Back to top
Profile PM Email Website
AlexI
19
Years of Service
User Offline
Joined: 31st Dec 2004
Location: UK
Posted: 1st Nov 2006 07:59 Edited at: 1st Nov 2006 08:00
Link
if i placed an .htaccess on my hard drive at higest level C:/ with this code:



and then placed an .htaccess in my web server with:



would this stop anyone going in any of my directors above my webserver one?


Back to top
Profile PM
Jeku
Moderator
21
Years of Service
User Offline
Joined: 4th Jul 2003
Location: Vancouver, British Columbia, Canada
Posted: 1st Nov 2006 10:07
Link
Dude, use Google already

http://www.codercafe.com - My blog
Ben Stein's Christmas Thoughts
Back to top
Profile PM Website
adr
21
Years of Service
User Offline
Joined: 21st May 2003
Location: Job Centre
Posted: 1st Nov 2006 10:45 Edited at: 1st Nov 2006 10:45
Link
Quote: "Can that be done on a windows "server"? I thought chroot was a linux thing?"

Silly me. If I put my columbo hat on, I think this guy's platform is more than likely to be Windows.

Quote: "if i placed an .htaccess on my hard drive at higest level C:/ with this code:"


Server side scripts can do what they like. They sit below the Apache layer, wreaking havoc as they see fit. Apache can only control web requests, not PHP. Now, I've done some research (and I have to point out, it wasn't that difficult to find) and there's an ini setting for PHP called open_basedir. You could do some kinda jiggery pokery with auto-prepend, dynamically setting someone's base dir... but I'm not quite sure how secure that would be.

[center]
game dev ... is like a bouncy castle full of breasts - VanB
Back to top
Profile PM Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 1st Nov 2006 10:47
Link
Or get linux

[center]
Back to top
Profile PM Email Website
adr
21
Years of Service
User Offline
Joined: 21st May 2003
Location: Job Centre
Posted: 1st Nov 2006 10:53 Edited at: 1st Nov 2006 10:55
Link
I was just gonna say, my suggestion doesn't stop someone uploading a file that bypasses all the PHP security, or just accessing the shell directly.

Doesn't matter how tight my server's security is, I can still shell out commands and run "cat /etc/php.ini" to try my luck.

To be brutally honest, I'm horrified that you offered your services to the blackout team (I think it was you, sorry if it wasn't). They were suffering from repeated malicious attacks, so you come to the rescue? I don't want to be mean, but jesus man, this is beyond jumping into the deep end.

My advice? Don't try and host services on Windows XP.

[center]
game dev ... is like a bouncy castle full of breasts - VanB
Back to top
Profile PM Website
Kentaree
22
Years of Service
User Offline
Joined: 5th Oct 2002
Location: Clonmel, Ireland
Posted: 1st Nov 2006 10:57
Link
Correct me if I'm wrong, but doesn't the Apache config file let you set a website's root? I.e. when you access /index.php, instead of accessing it in your root dir, it uses the website's root address, such as /var/wwwroot/website?

Nephin Games
Devhat Developer Network and IRC Channel
Back to top
Profile PM Email Website
adr
21
Years of Service
User Offline
Joined: 21st May 2003
Location: Job Centre
Posted: 1st Nov 2006 11:04
Link
The point is, he wants to stop PHP from accessing the file system. Doesn't matter what my apache web root is, I can still glob("c:/*") or glob("/etc/*") from within PHP.

[center]
game dev ... is like a bouncy castle full of breasts - VanB
Back to top
Profile PM Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 1st Nov 2006 11:05
Link
Possibly - however...
1) You're working on the basis that the server is linux - I dont think Windows has such security
2) Depends if PHP is installed as an Apache mod or as CLI. In any case, both situations run the script locally so I wouldn't be surprised if you can write scripts to get to file contents.

Basically, the server setup is incorrect - any decently configured server would have a permission set which restricts access to folders. This is done in linux via the owner/group/guest (or whatever its called) method. In windows I think you can apply man owners and groups as well and controlling anonymous access to folders - but I think the drive HAS to be NTFS.

Even "proper" hosts (such as my ex-hosts, Supanames) get their security ballsed up every now and again. I found I could write a script in PHP which used the exec() function. I was hoping to write a script I could invoke once a day which produced a compressed tarball of my site I could download as their FTP server was pathetic (took ages to create a connection and then only allowed 2 at once (one for browsing, one for downloading) which meant it took ages to download or upload anything). After asking them for support on the topic I was a little shocked. Instead of helping me with it, they temporarily locked my FTP access and started faffing about with the security settings in PHP. When I was finally allowed back in they'd disabled exec(). I can kind of see why - but I wanted to use it for a legitimate purpose, not for running "ls /home/joeblogs/httpsdocs/" or something...

[center]
Back to top
Profile PM Email Website
Zappo
Valued Member
20
Years of Service
User Offline
Joined: 27th Oct 2004
Location: In the post
Posted: 1st Nov 2006 12:43 Edited at: 1st Nov 2006 12:44
Link
Most shared Web servers run PHP in safe mode which adds some restrictions that might help.
As Adr said, the open_basedir is what you want to look at but its better to place restrictions using your OS if you can. With Linux this is easy (as mentioned) but I am not 100% sure about how to do it in Windows. You could possibly have a look at running the Apache/PHP service as a particular user and then using the NTFS security restrictions to only allow that user access to the Web folder. Never tried sharing an Apache server under Windows but it gives you something else to research
Back to top
Profile PM Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 1st Nov 2006 14:05
Link
Quote: "Never tried sharing an Apache server under Windows"

Any particular reason? I'm sure Windows makes a fantastic server. I mean think about it - even if you get locked out of it, given enough time you'll find another way in

[center]
Back to top
Profile PM Email Website
AlexI
19
Years of Service
User Offline
Joined: 31st Dec 2004
Location: UK
Posted: 1st Nov 2006 22:14 Edited at: 1st Nov 2006 22:17
Link
Quote: "To be brutally honest, I'm horrified that you offered your services to the blackout team (I think it was you, sorry if it wasn't)."


I have got a paid host....
But i want to set up my own server so i dont have to pay


Back to top
Profile PM
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 1st Nov 2006 22:50
Link
Quote: "But i want to set up my own server so i dont have to pay"


Nothing is for free...

The money you save on hosting you'll spend on a sever, connection, legal OS License many times over.

To give you an idea how much proper hosting can cost... We recently changed from a self-managed server at Redbus to a managed option with Rackspace. The rack alone was costing £600 a month with the added cost of a leased line at about £200 a month. Thats before even adding the cost of servers, switch and firewall!
Rackspace works out cheaper plus if we need anything done to the server I phone and ask and it gets done.

There is a case for knowing how to do things yourself, but there is next to no case for doing the whole thing yourself unless you're a very large company - but even then, companies use other companies. Rackspace provide hosting for companies like Microsoft and Nikon. Even Microsoft admit there is no point self-hosting!

My advice: If you want to learn about hosting, forget windows. Start to learn and play with a Linux install. You can get a cheap old PC and install Linux on it and then just leave it running in the corner of your room and just play with it. Learn how to use linux at home. Dont bother with trying to be your own host - its REALLY not worth the effort.

[center]
Back to top
Profile PM Email Website
AlexI
19
Years of Service
User Offline
Joined: 31st Dec 2004
Location: UK
Posted: 1st Nov 2006 23:04
Link
I have already got a linux machine with suse on it but it hasnt got any net conection at the moment


Back to top
Profile PM
AlexI
19
Years of Service
User Offline
Joined: 31st Dec 2004
Location: UK
Posted: 1st Nov 2006 23:10 Edited at: 1st Nov 2006 23:12
Link
For some reason i get some strange ip address confliting thing when ethernet connection is enabled

heres my network digram



Attachments

Login to view attachments
Back to top
Profile PM
adr
21
Years of Service
User Offline
Joined: 21st May 2003
Location: Job Centre
Posted: 1st Nov 2006 23:14 Edited at: 1st Nov 2006 23:16
Link
If you're doing this as a learning experience, then that's fine. But you can't operate a publicly available hosting service on a residential line.

--- EDIT

To answer your diagrammy question, the second windows machine (not the one connected to the modem) would need to be configured as a bridge.

[center]
game dev ... is like a bouncy castle full of breasts - VanB
Back to top
Profile PM Website
AlexI
19
Years of Service
User Offline
Joined: 31st Dec 2004
Location: UK
Posted: 1st Nov 2006 23:23
Link
how do i set up a bridge?


Back to top
Profile PM
adr
21
Years of Service
User Offline
Joined: 21st May 2003
Location: Job Centre
Posted: 1st Nov 2006 23:38
Link
In windows XP, right click "My Network Places", click "properties". Highlight the two network connections you would like to bridge, right click, click "bridge".

[center]
game dev ... is like a bouncy castle full of breasts - VanB
Back to top
Profile PM Website
AlexI
19
Years of Service
User Offline
Joined: 31st Dec 2004
Location: UK
Posted: 2nd Nov 2006 08:28 Edited at: 2nd Nov 2006 08:29
Link
Once bridged will the linux automatically detect the internet connection?


Back to top
Profile PM
adr
21
Years of Service
User Offline
Joined: 21st May 2003
Location: Job Centre
Posted: 2nd Nov 2006 10:50
Link
I don't know.

[center]
game dev ... is like a bouncy castle full of breasts - VanB
Back to top
Profile PM Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 2nd Nov 2006 11:08
Link
hi!
1) "Running before you can walk"
2) You'll probably need to sort out the following:
IP Addresses - The bridging MIGHT sort this out for you - but still - you need to be sure the windows ethernet and the linux ethernet are on similar addresses and also have the same subnet mask.

Name resolution - check /etc/resolv.conf on the linux machine. Either needs to be the ip address of the ethernet card on the windows machine OR the IP of your ISP's DNS server's. Not sure which.

The Gateway - run ifconfig (maybe ifconfig eth0) to check your network settings. You might need to set the gateway to the IP address of the windows machine.

Alternatively, invest in a router - I assume you're on ADSL? you can get VERY cheap ADSL wireless modem routers now.

[center]
Back to top
Profile PM Email Website
adr
21
Years of Service
User Offline
Joined: 21st May 2003
Location: Job Centre
Posted: 2nd Nov 2006 11:12
Link
I was gonna suggest buying a wifi-ethernet bridge, so he can just "plug" the linux machine into router, whilst still maintaining the wifi connection. But that would still require a router....

[center]
game dev ... is like a bouncy castle full of breasts - VanB
Back to top
Profile PM Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 2nd Nov 2006 11:16
Link
Oh.. but... damn... I forget:
Quote: "so i dont have to pay"



[center]
Back to top
Profile PM Email Website
adr
21
Years of Service
User Offline
Joined: 21st May 2003
Location: Job Centre
Posted: 2nd Nov 2006 11:46
Link
I would highly recommend not connecting the linux machine to the internet while you're still learning. The last thing we need is an open relay... If possible, do everything from within your own LAN.

[center]
game dev ... is like a bouncy castle full of breasts - VanB
Back to top
Profile PM Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 2nd Nov 2006 11:58
Link
Quote: "The last thing we need is an open relay"

Haha... Just had an image of hi! managing to DHCP bomb his ISP in the name of learning!

Someone once did that at Essex Uni. Each room has 1 network socket but this guy has a WIFI router. He accidentally plugged the socket into a LAN socket rather than the WAN socket and ended up DHCP bombing god knows how many people's machine. The techies had to go around and reboot all the switches one by one!

[center]
Back to top
Profile PM Email Website
AlexI
19
Years of Service
User Offline
Joined: 31st Dec 2004
Location: UK
Posted: 2nd Nov 2006 23:25
Link
Quote: "Name resolution - check /etc/resolv.conf "
in this file it just says:


What do i write to add the ip address in?

Quote: "gateway to the IP address of the windows machine"
How do i add this to linux?

Thanks


Back to top
Profile PM
Chris Franklin
19
Years of Service
User Offline
Joined: 2nd Aug 2005
Location: UK
Posted: 4th Nov 2006 23:28
Link
Quote: "Quote: "Name resolution - check /etc/resolv.conf "
in this file it just says:
+ Code Snippet

###BEGIN INFO
# modifed by network manager
# Process: usr/bin/NetworkManager
# Process_id: 5211
#
### END INFO



What do i write to add the ip address in?

Quote: "gateway to the IP address of the windows machine"
How do i add this to linux?

Thanks"


Imo i don't know this myself but if you don't know how to do this there's no point in trying to host it just won't work

My nvidia compo entry
Back to top
Profile PM Website
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 5th Nov 2006 00:24
Link
This is one of the few time I actually fully agree with Chris... You're REALLY trying to run before you can walk.

To answer your question(s)...
1) Resolve.conf - lookup the manual. In linux, generally everything has a manual. To view the manual, type "man [command]"... For example:
$ man touch
$ man ls
$ man resolv.conf

Basically you need to add the nameserver line. My home server has nameserver 192.168.1.1 (192.168.1.1 is my router).

2) Not 100% sure, it might be different for each distro. I think you use the ifconfig command. Which distro are you using?

[center]
Back to top
Profile PM Email Website
AlexI
19
Years of Service
User Offline
Joined: 31st Dec 2004
Location: UK
Posted: 5th Nov 2006 14:00
Link
I got it all working now anyway


Back to top
Profile PM
Nicholas Thompson
20
Years of Service
User Offline
Joined: 6th Sep 2004
Location: Bognor Regis, UK
Posted: 5th Nov 2006 14:32
Link
Quote: "I got it all working now anyway"

Congratulations... trust me, it wont be the last problem you have with linux

[center]
Back to top
Profile PM Email Website
AlexI
19
Years of Service
User Offline
Joined: 31st Dec 2004
Location: UK
Posted: 6th Nov 2006 19:20 Edited at: 6th Nov 2006 20:49
Link
Thanks for your help


Back to top
Profile PM
a_coppard
18
Years of Service
User Offline
Joined: 6th Nov 2006
Location:
Posted: 6th Nov 2006 20:45
Link
Found a great forum, well a while back and for PHP etc. they have a great poster SarahG pay the forum a visit. http://www.pwdmag.co.uk/forum/index.php

a_coppard
http://adamacs.wordpress.com
Back to top
Profile PM
Back to top

Login to post a reply

Server time is: 2024-11-17 19:23:12
Your offset time is: 2024-11-17 19:23:12