php scripts activating by themselves - php

All right so I've been looking all over the net and I can't seem to find any solution for my problem. My apologies if this has been asked in the past.
I'm sure there's a very simple answer for this: A while back I built a website for a client. This website has an administration system in which some pages are locked using a $_SESSION variable called 'level', which basically checks whether the user is an administrator or not. Furthermore, some pages are locked with the usual log in session variables, to ensure that only logged in people can access these pages.
Now the problem is that on two of my pages, the php scripts seems to run completely by themselves. The first page is just a page that resends all of the activation emails to every user in the DB. This page can only be accessed by being logged in, and being an administrator. The second page can only be accessed by going through PayPal. The PayPal script has fallback support which checks whether there are PayPal post variables.
Anyone know why these scripts are running by themselves? It gets bothersome when random emails are continually sent to customers or administrators. I probably did something wrong somewhere. I thought it might just be the Google crawler activating the scripts, but wouldn't the crawler have to be logged in to access the scripts?

It could be a number of things.
One approach could be that search engines are executing your scripts.
A couple of years ago I was hired to look into what could be causing the deletion of all pages made with their homemade CMS.
Looking through their access logs revealed that two search engines was trying to index the content in the administration frontend. Including all the Delete page links.
The reason why this could occur was a combination of two things.
The first was the administrators browser plugins from the two search engines. Documentation proved that pages a client visited was sent to the search engines from their plugin.
Secondly, when the search engine attempted to index a session protected page, the original developer of their CMS forgot to put an exit; after the header('Location: ...');part which meant that the rest of the code on the page still got executed.
The solution
I fixed the problem by adding exit; to the code:
If( ! isset($_SESSION['level']) )
{
header('Location: login.php');
exit; // stops further execution of code
}
I hope this can help.

Check the access logs of your server and see when and what is calling those pages (if they are being called).
If something is accessing those pages (spider, person, etc) that shouldn't be, you have a security issue.
I highly doubt the scripts are 'calling themselves'

To find why they are being called, after you check if the session variable is set, and you find it isn't, add
file_put_contents('./log/log.txt', print_r($_SERVER));
Create yourself a directory "log" and a writabel file "log.txt" and the source should appear in there.
The other useful function is debug_backtrace(). Bit trickier to use this, but:
if ($handle = #fopen('./log/log.txt', 'a')) {
for ($i=1; $i<count($aBack); $i++) {
if (isset($aBack[$i]['file'])) {
fwrite($handle, $aBack[$i]['file'] . '/' . $aBack[$i]['line'] . "\n\r";
} else {
fwrite($handle, 'Anonymous function' . "\n\r";
}
}
fclose($handle);
}
Should give you a log of what oath was used. (Code typed verbatim - sorry for typos, but you should be able to work out from there)
Note that most client information (IP, referer etc) is forgable, but the calling URI isn't. It'll give you lots of info about what's calling them.

Related

How to retrieve a value from website with password protected login

Problem
I want to be able to login to my account, retrieve a value from a website while logged into my account, and then print it to a web page.
In particular, I want to retrieve the number of problems I have solved from Project Euler and then print it to my website.
Now, I know how to retrieve a value from a particular web page.
My Code
Disclaimer: code taken and adapted from: get value from external webpage (php or java)
I have the following code to retrieve the next value I want from a web page:
<?php
// Read the whole file.
$lines = file('https://projecteuler.net/progress');
// Go through every line ..
while ($line = array_shift($lines)) {
// Stop when you find the label we're looking for.
//NOTE: The word 'Solved' only exists on the web page when you are logged into an account.
if (strpos($line, 'Solved') !== false) break;
}
// The next line has your value on it.
$line = array_shift($lines);
// Print the first word on the line.
$values = explode(' ', $line);
echo $values[0];
?>
What this Code Actually Does
This code will go to the web page https://projecteuler.net/progress as it states. However, since this web page can be accessed without logging into the account, it will retrieve the values from that web page, instead of the web page that is accessed from logging in.
Essentially, there are two /progress pages - one for when you login, and one for when you are not logged in.
I want to be able to access the /progress page for when you are logged into your account. I have tried:
Things I've tried
I tried to use the information at this link:
Reading information from a password protected site
With no success.
How might I do this?
The Project Euler website has a CAPTCHA on the login page. Possible ways to bypass this are well documented across the internet if you care to search, however the owner of the website clearly does not want automated access and, legal issues aside, we are generally disinclined to help you go against the wishes of the site's owners.
If you want to have your browser dump some data, when you are manually logged in, you might want to look into GreaseMonkey scripts.

How to avoid a login bypass in my webpage by entering URL

I am trying to set up a secure web page at home. I created a login page with HTML and PHP, and it actually works when a user tries http://example.com. However I noticed that if a user enters in the URL http://example.com/documents.html (where documents.html is a page in my website) it get access to the page contents without login in first.
I have been looking for a solution for several weeks without success. I’ve tried to use the .htaccess capabilities of Apache without success, (get same results as above). So if someone could lead me on how to avoid this, that would be great.
This question is very broad. There are many possible solutions. It is going to be very hard to give a best answer.
My personal choice would be to remove HTML pages from the public area of the website and then create a PHP page which checks for permissions based on the requested page. If that is OK, then the PHP page would read the non public HTML page and simply echo out the contents.
This will secure the HTML pages without the need to rename them or alter them in any way. This is often times better because there is usually a reason that you have HTML pages instead of PHP pages. If they are being generated somewhere else it could be very difficult to keep those changes updated too. It will also allow you a chance to add to or modify the output in code before you display it.
One PHP file could be made per HTML page or you could use one PHP file for all pages and use a request variable to choose which HTML page to authorize and display. That is up to you.
As a bonus, this type of system can also be used for any other type of file you'd like to secure but still give (what seems to be) direct access to. To do that, just replace mystaticfile.html with mystaticfile.zip (or whatever) and make sure to send the correct header.
For me I added this code in the start of webpage that should be only accessible of logging in.
<?php
if(isset($_SESSION["username"])) {
//Code to run if logged in
} else {
//This will return the user to login page if the user is not logged in
header("Location: login.php");
}
?>
This will protect the exclusive pages for user page even if the url is manually typed.

Session variable disappears after Redirect

I have been fighting with this problem all day. I have read numerous SO and forum posts where so many others had this same problem, and the posts spanned years.
My problem was part of a back end system I wrote to allow very basic alterations to database data, New entries could be added, updated or deleted. Pretty standard issue stuff. For simplicity, each function, insert, update, delete and an overall view of the database contents were on separate pages (insert.php, update.php, depete.php).
When adding a new entry, editing or deleting an existing entry, a redirect followed that would take the user back to the view,php page to show the updated data list. Problem is, the redirect wasn't working. The session variable was somehow discarded during the redirect which, due to my code, tossed the user back to the login page.
Here was my code:
if ($done || !isset($_GET['client_id'])) {
header('Location: http://website.com/admin/view.php');
exit;
}
Many thanks to all of you!
It checked to make sure the updated data was posted and if all was well, redirected to view.php.
But it wouldn't, and yes, my pages all started with the necessary <?php session_start(); ?>. So after hours of scouring the web, I came across a nine-year old entry in the PHP manual that I felt was worthy of sharing:
http://www.php.net/manual/en/ref.session.php#37555
In it, the poster mentions, "Be aware of the fact that absolute URLs are NOT automatically rewritten to contain the SID. "
He suggested, "Skipping the 'http:' did the job." so I removed it from my code as such:
if ($done || !isset($_GET['client_id'])) {
header('Location: view.php');
exit;
}
And it WORKED. This topic has been a headbanger for many of us and I wanted to share it for what it's worth.
HOWEVER, I also do have a question, and that is, what would the proper procedure be to allow an absolute URL to be written that did contain the SID?
DO NOT pass the session ID in from the URL.
http://en.wikipedia.org/wiki/Session_fixation
Use cookies. You can perform a best-effort same-origin check on the session ID given to you by storing the creator's IP address for example. Cookies are harder to tamper with than a simple URL. If they "disappear" then that means your user cleared their cookies and does not want you to track their session anymore.

php auth sending specifc users to a specific page

first off third question I've asked and all have been answered well! So thanks to everybody who reads my posts (and others I guess)
I've gotten as far as I can without complete help on this one. I need to create a username and password section. I've done this before using htaccess, htauth files. Works well. Secure, and log's them in fine. What I'm looking for though is some sort of script that will take a specific user to a specific page after login.
User1= user1.php
user2= user2.php
Ect.
Is this possible without a whole lot of work? I can make workarounds where the users login to the main index, then go where they need to, but then anyone logged in can go to anyone's page.
I'm not asking anyone to write the code. But even some guidance to some tutorials would be great!
If the page is authenticated using .htaccess, upon successful login the username is available as $_SERVER['PHP_AUTH_USER'].
So you can either redirect the user using Location, or even better, directly include() the desired file.
You can place the user1.php, user2.php, ... files in a directory of their own, with a .htaccess that disallows direct access. This won't stop PHP from being able to include the files, and this way only the authenticated user can have access to his file.
if (isset($_SERVER['PHP_AUTH_USER']))
{
$pvdir = './user_private_files/';
// "basename" in case we log in little Jack Folders (Bobby Tables's cousin)
$user = basename(strtolower($_SERVER['PHP_AUTH_USER']));
$file = $pvdir.$user.'.php';
if (file_exists($file))
{
include $pvdir."any_common_code_at_the_beginning_of_user_files.php";
include $file;
include $pvdir."any_common_code_at_the_end_of_user_files.php";
exit();
}
include ugly_error.php;
}
htauth is .. old :D
Well, in any case. You can fetch the user credentials from the $_SERVER variable somewhere and switch based on that.
var_dump($_SERVER); to see which property you need.
Then use header("Location: /go/here.html"); to redirect the user.

Go back to calling website

after searching (and testing) a way to offer a kind of go-back button I am asking that question here (maybe there is an easy solution).
I have a description about orienteering on my website (5 pages): http://www.uhebeisen.net/o-def/o-definition_ge.php
There are many websites from abroad having a link to this pages. Now I'd like to get their URL if a websurfer is entering my pages. Then I can place a button go-back to my navigation list that brings him back to his page from where he clicked the link to my description-pages.
I've seen solutions using javascript:history.go(-1) or $_SERVER['HTTP_REFERER'] with PHP but problem is that a websurfer can move around my pages and if finishing his reading from any page should be provided with his (calling) URL, e.g. the one of his University.
So I need to catch his URL and store it in a safe place until he decides to leave. And if he returns to the starting page while surfing on my pages his URL shouldn't be overwritten.
Since I do not program - just copy&paste and try to understand what happens. Any suggestion on how this can be done is welcome.
thank you George, that one worked
I wasn't aware to place the session_start at the very beginning of the file that's why I get the two warnings.
While testing this function I found that the session variables were not always cleared by the browser. Especially with Firefox, it keeps the calling URL almost forever (WinXP, FF 5.x) whereas Firefox 5 on the Mac, Safari (Mac) and Camino (Mac) work as expected: after restarting the program I can test successfully with another website.
Does Firefox have different setting possibilities in regard of sessions than other browsers?
You should store $_SERVER['HTTP_REFERER'] in the user's session upon arrival. Using this method, the value won't be overritten when the user browses within your site.
session_start();
if ( !isset( $_SESSION['referrer'] ) ) {
if ( !empty( $_SERVER['HTTP_REFERER'] ) ) { // Because not all browsers set this
$_SESSION['referrer'] = $_SERVER['HTTP_REFERER'];
}
}
One way to do it would be to store somewhere (perhaps in a cookie or session, which easy to do with your PHP page) the page they're coming from, but only if that page is not on your website's domain. This would require some if-statements to set the cookie/session value appropriately, but it can be done relatively easily using particular parts of the referrer variable. There is probably a more efficient way to store this, but this is one that jumps to mind right away.
EDIT: I highly recommend George's solution, much better way to do this.
Have you tried using a session?
session_start();
if( !isset($_SESSION['refer']) )
{
$_SESSION['refer'] = $_SERVER['HTTP_REFERER'];
}
then, once your ready to make the button, set the link to $_SESSION['refer'].
In my past projects I usually stores the redirect url following this process:
search for a query string parameter url (www.yoursite.com/?redirect_url=my_encoded_url)
If search at point 1 doesn't return any results, then I checks for the HTTP_REFERER
In both cases, I stores that value in a SESSION variable after verified that the url belongs to my site's domain.

Categories