I've had a good look around here for articles relating to this and nothing I see seems to work. Let me start by explaining my situation.
I have a load of files and folders (directories) inside a .htpasswd/.htaccess protected folder. These are sat on a Windows Server running xamp apache.
On this server (and within this folder) I have a single .php page which pulls in database records & assets from with the folder & sub-folders. The assets are organised, but all over the place.
I have a linux server with a php file and I am trying to embed that single php file using iframe ideally (as its easy for format). Issue is it's still asking me to provide the credentials to login to the .htaccess site.
I tried to create a php file above the password protected directory to load the php file within using file_get_contents however that still asked me for the password.
I tried moving the file outside of the directory, but because all the assets are in the directory, it again asks for the login credentials...
WHAT DOES WORK
I tried editing the .htaccess to add my server IP however this didn't work as the iframe which loads it is a browser. Adding my device public IP works which is a nice proof of concept, so I am thinking is it possible to make something serverside load the content? rather than an iframe which renders & loads browser side
Alternatively, any workarounds I have missed?
Thanks
UPDATE 1
if i echo file_get_contents('local_file_path') I just get a screen of junk
$fixture) { # check if today $today = date("Y-m-d"); $fixturedate = $fixture['date']; if ($fixturedate == $today) { $this_fixture = ['title'=>$fixture['title'], 'hometeam'=>$fixture['hometeam'], 'homegoals'=>$fixture['hometeamgoals'], 'homecards'=>$fixture['hometeamcards'], 'awayteam'=>$fixture['awayteam'], 'awaygoals'=>$fixture['awayteamgoals'], 'awaycards'=>$fixture['awayteamcards'], 'progress'=>$fixture['progress']]; array_push($game_array, $this_fixture); } } } ?>
# " . date("G:i") . ""; ?>
No fixtures today..."; } echo ''; include "../connection.php"; //Connect to Database # GET Logos $lsql = "SELECT `fixture_list`.*,`logos`.* FROM `fixture_list` JOIN
if I do a require 'local_file_path' it's better but none of the file paths match up as they're all relative in the original document
I have a few Ideas you can try:
Option1
AuthUserFile /var/www/mysite/.htpasswd
AuthName "Please Log In"
AuthType Basic
require valid-user
Order allow,deny
Allow from 127.0.0.1
satisfy any
I've never personally tried this, so you may have to use the servers outbound IP (maybe). The idea is to allow access from a specific IP, localhost, without the login.
Option2
You could include the file by path (not url),
if I do a require 'local_file_path' it's better but none of the file paths match up as they're all relative in the original document
It's possible to set the working directory of PHP using chdir().
http://php.net/manual/en/function.chdir.php
bool chdir ( string $directory )
Changes PHP's current directory to directory.
set_include_path() may also be an option.
Option3
You could use cURL and login, the example I found is by command line but it might also work using PHP's Curl.
$output = shell_exec('curl -A "Mozilla" -L "http://user:password#domain.com/api/someapi.php"');
This may also work with file_get_contents, by adding the password and user to the url, however it will probably be recorded in the server access logs, which may or may not matter to you.
It's always preferable to access files on your own server by path, it's much faster then doing a network request. And less visible log wise.
I'm sure there are a few other tricks.
Related
I have an SPA that uses AJAX calls to assemble content from multiple PHP files. I can add the following into the main application's config file to be able to redirect users that are not logged in back to the login page as long as they tried going through the portal to look at stuff.
// Verify Login to access this resource
if($_SESSION["loggedIn"] != true) {
echo ('resource denied <script>window.location.href = "https://'.$_SERVER['SERVER_NAME'].'/login.php";</script> ');
exit();
}
The problem comes in that there are tons of views, models, controllers, and third party widgets that can still be accessed directly if you simply tried scanning the site for common file architures.
Is there a way to use something like an htaccess or php.ini file to automatically append this login check to all of the php files in a directory so that I don't have to paste this into each and every page?
Baring that, is there a way to set my chmod settings to only allow indirect access to those files such that php scripts running on the server can use them, but they can not be directly visited? Thanks.
[EDIT]
Moving files outside of my public folder did not work because it broke the AJAX.
I also tried auto_prepend_file in an htaccess file, but this resulted in a 500 error. I am using a VPS that apparently won't let me do an AllowOverride All in my Apache pre_virtualhost_global.conf; otherwise, I think that would have been the right way to do this.
Setting the CHMOD settings of my resource folders to 0750 appear to be allowing the AJAX commands to execute without allowing direct access to the files. If anyone knows of any other security caveats to be aware of when doing this let me know. Thanks.
I have a small page that contains the connection data to my MySQL DB, which I include in other pages that require it. The small code is:
[connect_DB.php]
----------------
<?php
define("HOST", "localhost");
define("USER", "myUser");
define("PASSWORD", "myPasword");
define("DATABASE", "members");
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
?>
A friend of mine proved to me that he can download the .PHP file, and in less than 2 min, he did. That means he got the login info for my MySQL server. And I was wondering if there existed another way of connecting with the database, without putting the password in a file, etc. He recommended me use SSL or TSL, or simply configuring the HTTPD.CONF or .HTACCES to not allow "exterior" access to the file. Is that correct or achievable?
I am actually testing this on Wamp Server (Win7), and I cannot create a .HTACCESS file because It tells me to enter a name for the file (which I am already introducing! :( ) every time I try to name it that way.
I understand that this may be a duplicate question, but believe me I read a lot of t hem but I don't understand what should I do. In advance, thank you.
I am pretty sure that your host Provider is not parsing the PHP files, because it would not be possible to download the sources if they'd pass the interpreter.
Make sure you have PHP installed, configured and activated, contact your provider's support in case of questions. The easiest way to test this is to upload a file:
test.php
<?php phpinfo(); ?>
To protect a file it's enough to put the your database config php outside of public_html, html or htdocs directory (one of these is most likely to be your document root), where you still can include(); it via PHP.
Other solution is to protect the file via .htaccess where you put something like that inside the file and upload it to your document_root:
<Files db_config.php>
deny from all
</Files>
To add a little more security,
you can protect the db_config.php by adding this on top:
if (!defined('IN_MY_PROJECT')) {
die('forbidden');
}
and put this on top of your index.php:
define('IN_MY_PROJECT', true);
Most likely, Your server is not setup correctly, meaning the PHP engine is not running, so its just sending or displaying the file contents back as say text/html and not being parsed by PHP. This is the only way that some tool like you mentioned in comment could possibly access the file, a tool like that would also not see the file if there was not a link to it somewhere, so perhaps you have Directory Indexes enabled to.
To test you have PHP enabled simply make a file and put in it:
<?php phpinfo(); ?> if it displays your php info then im stumped, if not then its proof your server is misconfigured for PHP.
Though once fixed, it is good practice to put sensitive files outside of your web root. And not a good idea to set your values in constants as a function like get_defined_constants() will give access to the sensitive values. Just put them directly in the construct arguments.
if you want to block access to a directory where only PHP can access you make a .htaccess file with deny from all in it, this will cause the server to send a 403 Forbidden.
Good day all,
I have a folder called documents in my site root, this is password protected by a .htpasswd file, but it is allowed to be accessed by a script to view.
how would I allow a script to be able to download the file without accessing it directly from the directory?
I'll give an example to explain the situation.
on my home page I display the picture test.jpg, this image is in the documents folder that is protected. The image displays correctly on the home page.
If type in the address bar www.domain.com/documents/test.jpg it does not display or downloads, but asks for a password.(this I want, but don’t want people to type in a password for each file they want to download)
Is there a way that I can make php or JavaScript download the document without ever having to prompt for a password? Other words bypass the .htaccess rule?
thanx in advance
I've retagged adding PHP and Javascript. There is nothing stopping you writing a remapper PHP script which is outside the documents folder and therefore accessible without Apache authentication. This could issue a readfile() to send the file (see the document example and user contributions for a more detailed explanation. Since this is a server-side script, it will have direct access to the protected directory.
Of course you might want to implement some form of access control, say appending a request parameter check which is based on the md5 of the filename plus a shared secret. This would be easy to compute in the calling script. However, once you move such access negotiation to a client-side script you need to accept that this could be retro-engineered and exploited by any experienced hacker.
As a footnote, if you want to allow users to download your images, why are locating them in an access controlled directory. Why not just move them out of this directory?
As Barry said, the .htaccess is processed before any PHP is, so bypassing it is not an option. You will have to either change the .htaccess configuration or write a remapper PHP script.
I suggest changing the .htaccess configuration to allow direct download links but deny directory listing. This will allow people to download direct links such as http://www.example.com/documents/some-file-name.ext without being prompted for a password, but they will have to know the link ahead of time - they won't be able to view the /documents/ folder to see everything in there.
You can do this by commenting out or removing the Auth directives:
#AuthUserFile /path/to/.htpassword
#AuthName "Name"
#AuthType Basic
#Require Valid-User
And adding a directive to block directory listing:
Options -Indexes
I have searched it all around but couldn't find it all i want to know is i have a folder called temp like
->public_html
-->temp
now how do i restrict a user from accessing it from outside server like it gives an error when someone includes it in their php script? i want to do it through php not through .htaccess or apache i tried chmod but it restricts the whole website from the local server only. i have done the constant thing also but if someone knows the constant name then he can still extract the data.
You can't include a remote PHP file. If they have allow_furl_open and allow_url_include set to true and use include('http://yoursite/temp/yourfile.php'), then what gets included is the output of that PHP file. Not the PHP source itself.
So when you have a php file with the following contents:
<?php
$password = "secret";
echo "Test";
?>
And someone includes that file remotely, they'll only get "Test" back, which isn't valid PHP syntax. They won't be able to see the contents of the file, only what gets outputted. The file runs on the remote (or in this case your) server. Whoever includes it gets the output after execution on that server.
So you don't have to do anything like if (!isset(some_magical_constant)) die("Go away!"), that's just plain silly, but unfortunately I've seen it all over the web.
htaccess, only way I know of... don't think it's possible with PHP
<Directory /public_html/temp>
order allow,deny
deny from all
</Directory>
Put an empty "index.html" file inside your "temp" folder. This prevents user from seeing the contents of that folder. Which basically makes it impossible for users to work around it.
As for including it in a script, people have to know what files are in it to use it in a script.
I have an config.php file where I simply make an huge array that contains all the framework configuration. Also the database source string thing like "mysql:host=localhost;dbname=mydb" (whats that called, btw?) and username + password for DB. I'm afraid this is:
stupid
not good; better solution there
not secure (?)
so how do the PHP experts do that?
If you have a www, httpdocs or public_http folder or something like that, where your php application is situated, then it is good practice to put the config file outside of that folder, and just access it like this:
include "../config.php";
Nobody can gain access to that file without FTP access, and so it's relatively safe compared to having it in the application folder.
If you don't have such a folder, you can create one, and make a .htaccess file in the root, which redirects all requests to that folder. There are many different ways to do that, but that's a different question all together.
I store it in a plain text ini style configuration file, usually above the web root so as not to allow users access to it. In the cases where it is accessible, I usually have a .htaccess file with deny from all so as to prevent all access to it.
Storing it in a PHP file accessible to users should be fine, but it isn't ideal. If the sever handles PHP files correctly, even if people can access the file, they can't access the values as they just get the output (nothing). There are of course issues with this, (see comments).
Using PHP files is the most common method with PHP projects (Both FOSS and commercial) I have used. Most of them didn't both storing them above the web root. With any stable setup, there is on the face of it very little point in storing your configuration file above the web root, although given Murphy's law it is worth doing if you can (That or use .htaccess or the equilivent for your server to deny user access to a directory)
That's how most do it, but you could also try some of these solutions:
Save the configuration file outside the web folder (this requires that the open_basedir configuration in PHP is disabled).
Restrict access to the configuration file by using .htaccess:
<Location /config.php>
Order deny,allow
Deny from all
</Location>
Use .ini files and the parse_ini_file function (this is not really a solution in itself, but could be combined with the others)
Why storing DB username & password in "config.php" is not fine? as long as i know, the data in this file can't be shown publicly.
E.G.
<?php
$DB_User = "amindzx";
$DB_Pass = "Something";
// connect to DB and so on.
?>
unless if the hacker can gain access to your FTP.
Why it's stupid to hold simple config.php file without any securities? Even if programmer finds this file he can do nothing, because, like amindzx said "this file can't be shown publicly." Or I'm wrong?
With sensitive info like database or payment gateway credentials, and when I have control over the server, I like to add lines like the following to my apache virtual host config:
SetEnv DB_USER "myuser"
SetEnv DB_PASS "mypass"
In your PHP, you can access these using $_SERVER['DB_USER']. You can make this config file readable only by root, which you can never do to a file that php accesses at run time. One caveat: Be sure you disable php_info and don't expose these variables with something silly like print_r($_SERVER). (Much of this is paraphrased or stolen from here.)
For non-sensitive configuration, I like to do a class full of constants, which is similar to your setup, but I like the OOP-ness of it.
class Application
{
const CONTACT_EMAIL = "me#mysite.com";
}
usage:
$contactEmail = Application::CONTACT_EMAIL;
I usually store settings in a config.php too, such as database connection settings, file paths etc.