Good day all,
I have a folder called documents in my site root, this is password protected by a .htpasswd file, but it is allowed to be accessed by a script to view.
how would I allow a script to be able to download the file without accessing it directly from the directory?
I'll give an example to explain the situation.
on my home page I display the picture test.jpg, this image is in the documents folder that is protected. The image displays correctly on the home page.
If type in the address bar www.domain.com/documents/test.jpg it does not display or downloads, but asks for a password.(this I want, but don’t want people to type in a password for each file they want to download)
Is there a way that I can make php or JavaScript download the document without ever having to prompt for a password? Other words bypass the .htaccess rule?
thanx in advance
I've retagged adding PHP and Javascript. There is nothing stopping you writing a remapper PHP script which is outside the documents folder and therefore accessible without Apache authentication. This could issue a readfile() to send the file (see the document example and user contributions for a more detailed explanation. Since this is a server-side script, it will have direct access to the protected directory.
Of course you might want to implement some form of access control, say appending a request parameter check which is based on the md5 of the filename plus a shared secret. This would be easy to compute in the calling script. However, once you move such access negotiation to a client-side script you need to accept that this could be retro-engineered and exploited by any experienced hacker.
As a footnote, if you want to allow users to download your images, why are locating them in an access controlled directory. Why not just move them out of this directory?
As Barry said, the .htaccess is processed before any PHP is, so bypassing it is not an option. You will have to either change the .htaccess configuration or write a remapper PHP script.
I suggest changing the .htaccess configuration to allow direct download links but deny directory listing. This will allow people to download direct links such as http://www.example.com/documents/some-file-name.ext without being prompted for a password, but they will have to know the link ahead of time - they won't be able to view the /documents/ folder to see everything in there.
You can do this by commenting out or removing the Auth directives:
#AuthUserFile /path/to/.htpassword
#AuthName "Name"
#AuthType Basic
#Require Valid-User
And adding a directive to block directory listing:
Options -Indexes
Related
I have an SPA that uses AJAX calls to assemble content from multiple PHP files. I can add the following into the main application's config file to be able to redirect users that are not logged in back to the login page as long as they tried going through the portal to look at stuff.
// Verify Login to access this resource
if($_SESSION["loggedIn"] != true) {
echo ('resource denied <script>window.location.href = "https://'.$_SERVER['SERVER_NAME'].'/login.php";</script> ');
exit();
}
The problem comes in that there are tons of views, models, controllers, and third party widgets that can still be accessed directly if you simply tried scanning the site for common file architures.
Is there a way to use something like an htaccess or php.ini file to automatically append this login check to all of the php files in a directory so that I don't have to paste this into each and every page?
Baring that, is there a way to set my chmod settings to only allow indirect access to those files such that php scripts running on the server can use them, but they can not be directly visited? Thanks.
[EDIT]
Moving files outside of my public folder did not work because it broke the AJAX.
I also tried auto_prepend_file in an htaccess file, but this resulted in a 500 error. I am using a VPS that apparently won't let me do an AllowOverride All in my Apache pre_virtualhost_global.conf; otherwise, I think that would have been the right way to do this.
Setting the CHMOD settings of my resource folders to 0750 appear to be allowing the AJAX commands to execute without allowing direct access to the files. If anyone knows of any other security caveats to be aware of when doing this let me know. Thanks.
I have been reading about where to securely save a PHP file that has my mysql database connection password. I understand from the forums that it should be saved in a folder above the webroot. I have a cloud server from a hosting company.I have access to root
The path to the public files is as follows:-
/var/www/vhosts/mydomain.co.uk/httpdocs/afile.php
Say I have a PHP file (containing my password) called sqlpassfile.php
Would the following be okay as a place to securely store it? ie in a new folder called Newfolder after vhosts??
/var/www/vhosts/NEWFOLDER/sqlpassfile.php
Sorry for a simple question but just want to make sure its secure
Thanks
All the nowadays PHP framework you will find do, indeed store their whole code base in a level under the web root.
They do not only store informations like credentials actually, they do store all the business logic of the application outside of the web root. They will then only allow a facade file to be accessed (most of the time a index.php or app.php) that will, then, with the help of controllers, handle every request and route you to the right page/content, and, of course, all the static content the site will use (your design images, your css, your js, ...).
For example :
Zend Framework does use a public folder where you will find an index.php and all the static files
Symfony does use a web folder where you will find two files app.php and app_dev.php and again all of the static files
So in your case you could do
/var/www/vhosts/example.com/httpdocs/ is the web root of your server
/var/www/vhosts/example.com/app/ store all the php code you need
/var/www/vhosts/example.com/app/config store all your configuration file, and then maybe your credentials files which you can call sql_config.php
/var/www/vhosts/example.com/httpdocs/afile.php will require_once '../app/config/sql_config.php
Usually, People just save the database connection information in a regular PHP file, for example, Wordpress saves the connection info in it's wp-config.php. Simply because nobody is able to see your password by visiting that php page, nothing is returned.
To make it more secure, you can disable access to php file while mod_php stopped working. Try this in you .htaccess
<IfModule !mod_php5.c>
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
</IfModule>
Please also have a look at this post:
Password in file .php
Whether your method is safe depends on the configuration of the server, something that providers are not often very good at documenting.
Your first line of defence is keeping what is essentially confutation data inside a file named with a .php extension. So if it is accessible from a browser the webserver will execute the file rather than returning the data. You certainly want at least 2 levels of security on your data (each of which you have tested independently).
Considering the path you have chosen, /var/www/vhosts/NEWFOLDER/sqlpassfile.php what happens if you request http://NEWFOLDER/sqlpassfile.php from the server? (In most cases, nothing but once in while....) Generally its better practice to keep it well clear of the directories your webserver uses.
I have a webserver with Apache.
For security reasons my customer wants to access files (.jpg/.pdf/.png/.gif) in another folder.
The root layout is as follows:
backup
data
etc
htdocs
logs
tmp
In the htdocs folder the Joomla website resides. I use flexicode to add PHP code to the site.
Is there a way I can show for example a photo in .jpg from the data folder?
example. /data/werknemers/80111/pasfoto.jpg
There is a little snag. Everybody uses a pin number to log into Joomla. In this case pin 80111.
Pin 80111 is added to the users table, the field is called pin.
Is it possible to use a variable to retrieve the data? So only user 80111 can access his or her folder and not another one?
The photo is shown in a module on the website after login.
Cheers,
Steve
You'll have to write a php script in joomla (for the authorisation), and give apache access to the external folder. Then deliver your files using this script.
I'm not a Joomla user, but my first chance will be to look for some plugin to manage the uploads, I saw some plugins to manage uploads per user doing a quick google search, for example this one.
In the case that no one works for you I think the next option will be try to implement an asset proxy.
Write an script in htdocs to validate the PIN and if it is ok read the file content from the data directory and provide the output from that script.
An rewrite rule to redirect all .jpg/.pdf/.png/.gif request for that proxy will be need.
Be aware to serve the non secure content (theme images for example) as well.
Hope this help
I'm working on an installer for a project of mine and the installer will create a configuration file.
I have it working 99.99% fine, but in that file i want a check to ensure a hacking can't access it directly, and that code uses the $_SERVER super global, which in every run, gets parsed by php so it breaks the logic I'm trying to go for.
does anyone know I can get the superglobal to stay intact as it is without it parsing or should i rethink my logic and add it elsewhere?
for those who may want to see the code, here it is:
#Disable direct access.
if(!strcasecmp(basename($_SERVER['SCRIPT_NAME']),basename(__FILE__)) || !defined('accessed')){
die('<string>No Direct access is allowed for this file.</string>');
}
Assuming you are using Apache (or any .htaccess compatible server), you just have to create a .htaccess file in the folder holding your configuration file, containing the following:
<Files config.php>
deny from all
</Files>
It will prevent any access to this file through an HTTP request.
See using .htaccess files for details.
Don't use in-script or .htaccess protections - just write the file somewhere outside of the document root. If you don't want something to become available, don't make it available.
Putting it in the document root is like your bank hanging sacks of money in the front window with "do not steal" written on them.
This may be a really stupid question...I started worrying last night that there might be someway to view PHP files on a server via a browser or someother means on a client machine.
My worry is, I have an include file that contains the database username and password. If there were a way to put the address of this file in to a browser or some other system and see the code itself then it would be an issue for obvious reasons.
Is this a legitimate concern?
If so how do people go about preventing this?
Not if your server is configured right. I think discussion on how that is done belongs on serverfault.
To add on to the other answers:
If you use a file extension like .inc there's indeed a higher risk. Can you open the file directly in your browser?
The most important advice is missing:
Only the files that should be accessed by a browser, should be in a publicly accessible location. All the other code (and configuration) should be in a completely separate directory.
For example
root
- webroot
- includes
- config
Only 'webroot' is exposed by your webserver (apache). Webroot can for example contain a single index.php, along with all your assets (javascript, css, images).
Any code index.php needs to load comes from 'includes' and all the configuration from 'config'. There's no way a user could ever directly access anything from those 2 directories, provided this is done correctly.
This depends on the file extension you have given the include file.
If the extension is one that is known and executed by the web server, it will be protected. If you browse to the file, the server will try to execute the code rather than just returning it as plain text.
If the extension is not known by the web server it will serve it as plain data, so anyone (who can guess the file name) can browse to the file and see the source code.
A Directory Traversal Vulnerability can used to obtain files off of the remote mahine. Alternatively you can use MySQL based sql injection to read files using load_file(). You can also test your system with w3af's urlfuzzer which will look for "backup files", such as index.php.zip. Also make sure that all files have .php extensions, a .inc can be viewed from the public. I would also disable Apache directory listing.
Normally there should be no way to view the PHP files remotely... it would be absolutely pointless. This completely depends on what web server you are using and how it's setup though.
Having looked around I can see that it is possible to protect a directory via the .htaccess by adding these lines:
Order allow,deny
Deny from all
This apparently protects the directory so that only local non web-access is possible.
This allows me to keep my includes in a subdirectory of the main site directory which is good for organisation and it can be used on the projects where I do not have access to folders outside the web root.
Does anyone else use this method?
Just for good measure I've put the directory permissions to execute only.
And the include extension is PHP as suggested by others.