In my website i have a website verification process based on a file
The user has to upload in his root directory a empty file with a filename like this:
site-verification-$user_id.html
then my script use the php get_headers() function to check if this file exist, for example:
$headers = get_headers( "$user_website/site-verification-$user_id.html" );
if( preg_match( "|200|", $headers[0] ) { // ... website verified
everything works fine, but my question is, can this process be spoofed?
Yes, actually it's really easy to trick this mechanism. You just have to set up a webserver to catch all requests (e.g. via Apache's mod_rewrite configuration) and answer every single one of them with a valid response including HTTP-Status-Code 200 - pretty easy to set up.
If the User-Agent and/or IP of your webserver is known it would even be possible to lie specifically to your server while keeping up correct responses to all other visitors.
To be sure that this doesn't happen, you should give the user a randomly generated key that is then required as the content of the named file. You should then save the filename and the key in a DB and check both for compliance (analogous to how you would handle a combination of username and password).
This method is similiar to e.g. how you authenticate as the owner of a domain at Google Webmaster Tools. You can be pretty sure that only someone with access to the server can deposit this code at the specified address.
Keep in mind that "someone with access to the server" might still be someone without legitimate access. Also, an attacker executing a MITM attack between your own server and the server you are checking could send back whatever is needed to fool your server. Well, but then everything is lost either way.
Related
For security reasons, there is a certain file on my web server I want to be able to monitor access to. Every time it is accessed, I want to have an entry added to a MySQL log table. This way, I can actively respond to security breaches from within the web application.
The Apache HTTP Server provides logging capabilities.
The server access log records all requests processed by the server. The location and content of the access log are controlled by the CustomLog directive. The LogFormat directive can be used to simplify the selection of the contents of the logs. This section describes how to configure the server to record information in the access log.
It can be used to write the log to a file. If you need to store in a MySQL table, run a cron job to import the file into the database.
Further information on logs is here:
http://httpd.apache.org/docs/1.3/logs.html#accesslog
Its been removed from PHP7 but for anyone else who finds this post there are a number of options within the FAM (now PECL) extension. This function http://php.net/manual/en/function.fam-monitor-file.php seems to describe what is needed here
Additionally you can access a lot of detail about the files status with http://php.net/manual/en/function.stat.php. Put this within a cron or sleep driven script and you can then see when its changed.
The file may be accessed from three points:
Direct filesystem access
Call to the url like www.example.com/importantfile.jpg (apache serves the file)
Call to some php script on your server www.example.com/readfile.php?name=important.jpg which reads the file.
If you are concerned only about case 2 then check the solution of Rishi Dua.
But if you want more than that then you should write a script with fileatime() call and then add it to cron to run every minute for example.
The pseudocode for it:
<?php
$previous_access_time = get_previous_access_time(); // get the previous last access time from you remembered in db or textfile or whatever
$current_access_time = fileatime('path/to/very_important_file.jpg');
if ($previous_access_time != $current_access_time) {
log_access_to_db();
save_new_access_time(); // update the new last access time
}
This solution however has some problems.
First is that you can get only the access time but not the user-id or ip of who accessed the file.
Second is that as the manual says, some Unix system do not update the access time and so the solution would fail.
If you are seriously concerned about the security, then I think you have to check for some audit util like this
I need a way to block all access to a php file but to allow a javascript file that send xmlhttp request to it. that js file is hosted on my server and must stay on my server for it to work
I have the following
header('Access-Control-Allow-Origin: *');
but that allows anyone to access it.
Well, I don't think this would be possible. Anyone can make a request to your server but your server chooses who to respond to and how to respond to a request. Now, if you want only your JS to be responded to by your server, then you will have to inform the server at the time of making an HTTP request from your JS. That cannot be done without exposing your Javscript file's identity on the basis of which your JS can be identified by the server. But anyone can open your JS and read it and figure out how you are making the request and use the same thing.
One possible solution could be, use header('Access-Control-Allow-Origin: *') to allow everyone to make a request to your server but at the server's end, keep a list of allowed domains/origins in a database on your server who may use or are going to use your JS file on their website. Based on the AJAX request that you get, you check from your database that if the origin of the request is allowed or not and respond accordingly. Now, if someone tries to request your PHP file by any other means than your JS, on the basis of the data in your DB you can reject the request or accept the request. If an allowed user/website does this, then they will be knowingly messing around with their own data.
Try this:
if (empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) <> 'xmlhttprequest')
{
die('direct access is not allowed');
}
Also, you can always check referrer like $_SERVER['HTTP_REFERER'] to be sure that only your script from your domain can access it.
I want to prevent users from running my cron job manually. Apart from using an unpredictable filename I want to have some sort of check in code.
Obviously using any clientside headers is a waste of time so I thought the easiest way around this would be to detect the presence of $_SERVER['SERVER_NAME'] which as far as I know is not set in CLI.
Are there better ways of doing this?
Have a look at php_sapi_name. It returns the type of interface between web server and PHP.
Example:
<?php
if(php_sapi_name() == 'cli') {
// CLI
}
else {
// HTTP
}
For more information, and additional examples, have a look at http://www.electrictoolbox.com/determine-php-run-via-http-or-cli/.
in your .htaccess
Options -Indexes
order allow deny
deny from all
allow from YOUR SERVER IP ADDRESS ONLY
Check for IP address, if its local, or server ip then run it, otherwise return.
$ip = getenv('REMOTE_ADDR');
My cron jobs are in a folder that is password protected using htpasswd. You can set an easy password and be sure nobody will lose his time trying to access it. I don't use any IP-based techniques because this is a server dependency I don't want to have.
As far as I'm aware, the webserver (Apache/Nginx) provides the ($_SERVER['REMOTE_ADDR']) based on the claimed location of the requesting user agent. So I understand they can be lying, but is it possible that this value could be blank? Would the network interface or webserver even accept a request without a correctly formed IP?
http://php.net/manual/en/reserved.variables.server.php
It is theoretically possible, as the matter is up to the http server or at least the corresponding PHP SAPI.
In practice, I haven't encountered such a situation, except with the CLI SAPI.
EDIT: For Apache, it would seem this is always set, as ap_add_common_vars always adds it to the table that ends up being read by the Apache module PHP SAPI (disclaimer: I have very limited knowledge of Apache internals).
If using PHP in a CGI environment, the specification in RFC 3875 seems to guarantee the existence of this variable:
4.1.8. REMOTE_ADDR
The REMOTE_ADDR variable MUST be set to the network address of the
client sending the request to the server.
Yes. I currently see values of "unknown" in my logs of Apache-behind-Nginx, for what looks like a normal request/response sequence in the logs. I believe this is possible because mod_extract_forwarded is modifying the request to reset REMOTE_ADDR based on data in the X-Forwarded-For header. So, the original REMOTE_ADDR value was likely valid, but as part of passing through our reverse proxy and Apache, REMOTE_ADDR appears invalid by the time it arrives at the application.
If you have installed Perl's libwww-perl, you can test this situation like this (changing example.com to be your own domain or application):
HEAD -H 'X-Forwarded-For: ' -sSe http://www.example.com/
HEAD -H 'X-Forwarded-For: HIMOM' -sSe http://www.example.com/
HEAD -H 'X-Forwarded-For: <iframe src=http://example.com>' -sSe http://www.example.com/
( You can also use any other tool that allows you to handcraft HTTP requests with custom request headers. )
Now, go check your access logs to see what values they logged, and check your applications to see how they handled the bad input. `
Well, it's reserved but writable. I've seen badly written apps that were scribbling all over the superglobals - could the script be overwriting it, e.g. with $_SERVER['REMOTE_ADDR'] = '';?
Other than that, even if the request were proxied, there should be the address of the proxy - could it be some sort of internal-rewrite module messing with it (mod_rewrite allows internal redirects, not sure if it affects this)?
It shouldn't be blank, and nothing can't connect to your web service. Whatever's connecting must have an IP address to send and receive data. Whether that IP address can be trusted is a different matter.
So maybe the documentation is out of date, or I am just off here. But I have done a slew of FB iframe apps (connect), but I am starting my first FB Connect site. Running it from localhost, and the Connect URL is http:// my_external_IP_address. When I click on the FB login button on my site, it pops up, says waiting for facebook, and it returns my site in that box, with the URL up top with the http:// mysite/?session={session key, user_id, etc.} The user_id is infact my FB id. And so it thinks I am logged in. If I close the popup, I'm not logged in. I'm not sure why the pop up isn't doing the normal fb connect dialog. I'm following these steps.
(I added spaces to the http:// as to not be detected as 'spam')
html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"
right after <body> <script src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php" type="text/javascript">
At the end, before the body close tag: script type="text/javascript">
FB.init("fbkey", "http://127.0.0.1/xd_receiver.htm");
I have tried using xd_receiver.htm, /xd_receiver.htm (and other combos), and that brings up a blank page. using the http://127.0.0.1 at least does something.
In my config file, which is called before all of those, it checks for a PHP session key
to see if they are logged in, if that doesn't exist it looks for a cookie, and if that doesn't exist it does this:
require_once('includes/facebook.php');
$facebook = new Facebook($fbkey, $fbsec);
$user_id = $facebook->get_loggedin_user();
if($user_id > 0){
$user = $ac->getUserFromFB($user_id);
$_SESSION['user_id'] = $user['user_id'];
}
The user_id is always empty when I echo it out to the screen to test. The session event never occurs as well. So I don't know what it is doing in the popup, but I think Facebook thinks it is logging me in. Not sure. Pretty stumped on this one. Any help would be appreciated. Thanks!
I've personally found the easiest way to deal with facebook connect is to use winscp to sync my localhost to a server with a domain somewhere. Since fb connect is attached to an application, that application needs to be bound to a domain, which is where the api key gets generated. Somewhere in there, your localhost isnt working, unsurprisingly.
I don't know for sure but I suspect the problem is due to you running on your local machine.
My guess is that the Facebook server won't be able to find your machine on 127.0.0.1 as that is a local ip address. You could try using somewhere like whatisyourip.com to get your actual remote ip and use that instead but even then you would need to make sure that you have the necessary port forwarding set up for the FB server to be able to get to your local machine.
All in all, for this kind of site I think it would be easier to develop on an external server rather than a local environment.
Incidentally, I don't have to enter the second parameter for FB.init() - I just use
FB.init(fbkey);
If you haven't already, you could try taking that out completely to see if it helps.
Also I think that the script tag to include the facebook FeatureLoader.js should be before your </head> tag not after the <body> tag
Try editing your hosts file to point a hostname (doesn't matter what it is, as long as you set it as the hostname associated with your app in the settings) to 127.0.0.1, and then restarting your browser and visiting your local app via the domain you set in the hosts file. This should allow you to test most FB-related features. The main exception will be the Like button, because it depends on Facebook's servers also being able to access your app at the domain in question.
Example hosts line:
127.0.0.1 www.example.com
If you add the above you your /etc/hosts and restart your browser, you can replace the "127.0.0.1" component of the URL you're testing with www.example.com and it will be as if the domain associated with your app were indeed www.example.com