Sorry for my English and probably stupid question, but being amateur in web programming I can't find a definite, short answer for the following questions:
what is the danger of allowing Joomla user to upload PHP file from the front-end, and
is there any way to prevent the risks in (1), while allowing user to upload PHP script?
Thanks in advance!
CBroe's answer outlines the risks of letting users upload PHP script files to your web server. There are applications that allow this functionality by using automatic code generators that create the PHP script files server side, providing some kind of UI for users to do so. Some of the Content Construction Kits (CCKs) do this. Others allow authorized users (administrators) to edit PHP files directly, which mitigates the security risks by relying on trusted users to not do harm. A third approach is something like Facebook's, where they require users to host the PHP script files on the user's own server, but provide an API and SDK to integrate those apps into Facebook's system.
Related
I am trying to build a web CMS application using php and SQL. I haven't fully learned Laravel yet and I may need more time to complete my course. My question is, does Laravel come in with built-in extra security or is it the same as coding in our php. No one told me this, I have a feeling, I would have to do a lot of manual coding to secure my app using pure php.
Please fill me in with your expert suggestions.
Moen
Using a framework does not secure your code magically. You still have to protect it.
you can see your web app as a house with many doors. with pure PHP, you will have to build your doors before using them. On the other side, Laravel (or any framework) comes with built-in doors but if you don't use them, your app will not be secured.
Example of protections simplified with Laravel
CSRF protection https://laravel.com/docs/5.3/csrf
SQL injections using Eloquent https://laravel.com/docs/5.3/eloquent
Form validation https://laravel.com/docs/5.3/validation
All protections listed above can be done with pure PHP but you will have to write a lot of code.
I know this is several years too late but figured I would add in, locking down your laravel project once in production does not take too much effort. If you utilize #csrf and form validation as stated above that will cover your "doors" there. On top of using something like fail2ban on the server and pointing everything to the public folder within your laravel application will reduce Brute forcing and deter a lot of the common PHP web scans that come in daily from malicious IP addresses. On my servers I typically see certain IP addresses scanning for common php, phpmyadmin, and mysql.php files that do not turn up any 200 http responses. In addition, having the final product/compiled version of the site in it's own directory and implementing all your 3rd party creds within the .env (which is required to link your laravel project to a db) file, make it hard for malicious actors to find system files and credentials.
In addition, the authentication out of the box does all the hashing for you "secure Bcrypt and Argon2 hashing". In addition to hashing, it has been noted that the Hash::make function creates and uses a 22-length random string as a salt to generate the password, from question Where are laravel password salts stored?. Which references a Wordpress article on laravel hashing and salting Laravel Hash::make() explained. Hopefully that helps anyone reading this.
If you are deploying a laravel site to a VPS or whatever, then I would highly recommend daily or at least every two days coming the access logs and deny ##IP address##; anything that is trying to access URIs they are not suppose to access (since you built it you will know what they should and shouldn't be accessing), and implementing fail2ban to greatly reduce ssh brute force. If anyone needs more info or has more questions about maintaining a laravel website in the wild/linux server, I am always here. Coming from someone in the Cyber Sec industry , that freelances web development
I have password protected a folder using .htpasswd and .htaccess that contains digital assets that I want to control the downloading of using php.
I was planning on offering a download link using the mechanism:
http://username:password#www.website.com/directory/
However, I don't want people to have access to the username and password. In other words I want to make a php gateway file with a different url that decides to offer the download or not, based on information available in the database.
This is a security thing, so I'm not confident of where to start with this. I'm sure I could hash together some code but I'm not confident about it. How can I do this securely? Any help greatly appreciated.
If you have the technical possibility I would suggest you even store the assets outside of the web accessible folders so you don't need to rely on htaccess for protection. That way your PHP gateway script is the only way to access those files.
I won't go into details about writing the script itself, there are multitudes of ways to do that and it very much depends on your requirements what is best, so more information would be needed to give some advice to that. If your assets are very big then streaming them through your script might not work due to memory/time limitations, in that case you could symlink them from the safe location to a public location with a randomly hashed path/filename for a limited time and give that link out.
Good day. Can anyone help me on how to access the user app data using a php code? Is there any built-in function for these? If you have any idea, please help. Badly needed.
heres a sample of the directory i want to access
C:\Documents and Settings\MyDocumentName\Application Data\
thanks in advance
Not (entirely) possible.
PHP code is interpreted on the server and the only thing that reaches the user's browser is the result of the PHP code. You could build an app with a form that allows the user to upload the contents of their Application Data directory to the server, but I don't think that it will turn out to be a very popular website.
Alternately, if you intend to interact with the user in a more intimate fashion, there are always avenues like Flash applications or (gasp!) ActiveX controls, but with browsers these days, most will flag your app as being a security breach and disable it.
This is the first time for me asking a question. Hope you'll be able to help me.
Problem: my chef wants our enterprise application to have a module which allows customers to upload very large files to our server.
Infrastructure: php 5.x / mysql client-server app
Well known problems:
-HTTP session time out
-Upload limit in terms of number of files and file size
Rules:
-The solution mustn't use any applet (java, flash, ...), neither any browser plugin.
-The solution should allow users to upload any type of files, from simple images to very large files of any other type.
-For security reasons, we don't want to change the settings in the php.ini file, neither in any .htaccess file to allow the app uploading larger files.
-If a pre-backed solution exists, it should be opensource and possibly free of charges.
-Integration with AJAX functionalities and progress bar visualisation are heavily welcome.
Possible solutions (tell me if it's possible, and if it isn't, why?):
-Access by FTP using some javascript library in the browser
-Access by WebDAV using some javascript library in the browser
Any other solutions that respect the above given rules is also welcome
I know, I'm asking for a very hard thing to find.
What you're asking for isn't currently possible. The only technology for uploading files which is currently available in all widely used browsers is standard HTTP form uploads, which you've already rejected as a solution. All other solutions available require Java or Flash, or use browser JavaScript capabilities (local file access) which are not fully standardized, nor universally available.
You'll need to relax some of your requirements.
Create an iframe or frame, or browser-window that offers access to the server via FTP. Allows users to drop files there for those browsers at least who support FTP.
I am developing a web application for my university project this summer and I am looking for some advice, The web application is to be deployed in to a windows environment that has around 500 users. The users will need to login before they can access the web application, this is where my first problem appears.
Do I need a way to export the users from active directory with their passwords on a daily basis. However I know that passwords are stored as a hash not clear text so id have to mimic the hashing in my web app. So do I use LDAP to authenticate the users for me? I would appreciate some advice of maybe a link to a resource that anyone knows that would be worth me reading.
Note.
The web application will be made in PHP with a sql database running on a windows server inside the same domain.
Thanks
PHP has an LDAP module that allows you to interface the Active Directory without exporting it.
Here is an example of implementing an LDAP authentication through php:
http://code.activestate.com/recipes/101525-ldap-authentication/
Since PHP has libraries to assist you with interacting with LDAP already then that might be the way to go. Exporting and managing users yourself sounds like reinventing the wheel.
Just contact the auth server using PHP::LDAP. This blog post shows a good example.