optimizepress is a wordpress plugin. I own a copy and use it and am wondering how they use the licensing to secure the product.
I would like to consider this for securing my own php script if it's viable.
Here's what they do to secure their product:
On there server where you download the script you have to enter your domain url in a text box to license the plugin for that url.
They have 2 textboxs to enter your domains in: 1. if it's first time licensing sites 2. adding more sites to your account
Then you click a submit button and a serial code is sent back
After you install the plugin in wordpress, you must goto the settings area where it asks you to enter the serial code for verification otherwise you can't use the script
How is this done? Could this be used with my php script I'll be distributing?
thanks for your thoughts
I'm not specifically familier with this script however it is very possible it is a script using cURL, the serial number will be used to authenticate your account for verification to access your account.
Next it will most likely pull the URL the script is being run from and verify that the URL is listed on your account.
From there if the URL is not listed it will probably send a fail command killing the script, if the URL is listed it will authenticate.
If it is listed then the script will check the status of the license and either run or kill the script.
There is a division in using this type of model whereby some developers believe if there is no response from the auth server then the script should assume it is allowed to run to not interrupt the user experience, others believe if the auth server doesn't reply its very possible it could be an unauthorised usage so they kill the activity.
There are other technologies available to do the same thing and depending on your application this may not be suitable, just have a look at various licensing models.
As a note, for this style of distribution you may want to use a PHP encoder such as ionCube so the script cannot be hacked to bypass authentication.
In addition when writing a script to use an API, I also recommend having the user assign the IP address, this way the first query to the API for auth is am I allowed to talk to this server. This provides a lot of protection to your API script that will then move on to verify the license is valid or not.
I hope this will be helpful for you.
Related
I recently delivered a website to a client and he claims that he can access database and database tables using "Python and SQLMap binaries" tools on his server. Same website copy is set on my development server and he cannot access database of tables using same tools.
So, is this any server setting which is stopping him ? If yes then what setting we have to do to stop hackers access database using this tool?
SQLmap and other vulnerabilities scanners kind of crawls the website and uses forms to make requests to the server to see the vulnerabilities. One way to fix this is to create a dummy login/signup form that has the body display set to none and has no links connected on the website. That means any normal user will not see it but a crawler will. Now anytime a crawler submits the form, you log the crawler's IP address to a log file and let Fail2ban block them
I have main PHP website and a Redmine app. When a user logged in to my website, new tab will pop-up and open the Redmine and login using the username and password that the user entered on the main website. Or if it is not possible to auto login from my main website to Redmine, is it possible to just have a default value on the username field and password field from the ones that the user also inputted on the main website?
I'm still noob on configuring Redmine and Ruby on Rails, so please bear with me :(
Edit: The main website and the Redmine website will be a system for our group only so I think security will not be a major issue. Also they won't be going online and will be operating through the intranet only.
You asked:
is it possible to modify redmine login page? To have it get variables on url? So I can just open a new window like this: redmine/login?user=user&pass=pass.
Hopefully not. If Redmine is built well (and I'd be reasonably sure it is) then it will only accept user credentials in a post operation, so as to avoid passwords being recorded via the URL in browsers, proxy servers and web servers. It would be poor security practice to attempt to log on this way, or for Redmine to permit you to do so.
One of the approaches I was suggesting in my earlier comment was for your PHP application to become a proxy for Redmine operations. There's two sub-categories here:
Use a programmatic browser component to carry out form operations in Redmine by visiting pages, clicking buttons, submitting forms etc. This is the "screen scraper" approach, but can be quite reliable since presumably Redmine does not change its HTML layout very often. Thus, the cookies you would normally have in your browser would be stored on the server instead.
Use an API built into Redmine. I guess there's not one as standard, but I found this one. I've not used it, so you'd need to test its suitability.
In either approach, you would not use Redmine directly at all: you would build the Redmine features you need into your PHP application, using forms to accept relevant user input, and rendering to the screen the output your server has received from Redmine.
This would work, but bear in mind that it's not a trivial project, either in terms of its size or complexity. If you are after a simpler alternative, then the browser password store is an option, but it won't log users on automatically, nor automatically discover the username you are logged on as in your PHP application.
I have written a utility that requires an installation key for uninstallation to ensure that only authorized users are uninstalling. After logging in to our website, the user will be presented with a uninstallation key, but then I would like to also launch the uninstallation wizard on the clients computer. I know this is possible, as I've done it before... just don't remember the code, nor did I save it.
Thanks in advance for any input.
PHP runs on the server-side and has no control over the client whatsoever. Neither can you use JavaScript to launch applications due to security reasons.
The only way you could do this is by using an ActiveX control or some kind of custom browser plugin. Or, if your uninstall wizard has registered some protocol handler on the client (say myuninstall://) then you could use JavaScript to redirect the user to a URL of this protocol, which will in turn then launch your program.
Assuming Windows, you could tell your installer to register a custom URL protocol with a custom scheme for uninstallation. Then your php app could present a link using the custom URL scheme (uninstall-my-product://12345678-ABCD).
Users without your uninstaller would see an "i don't know what to do with this protocol" message. Users who had installed your product would launch the uninstall program.
You could accomplish a similar function by delivering a file type which was registered to open the uninstall program.
If you're using a commercial installation program, then in both cases it would probably be easier to write a little launcher application to run the uninstaller, rather than modifying the uninstaller itself.
There is this PHP script on my website which I don't want people to be able to run by just typing its name in the browser.
Ideally I would like this script to be run only by registered users and only from within a Windows app (which I will have to provide). Can this be done ?
Alternatively, how can I protect this script so that it can only be called from a specific page or script?
Also how can I hide the exact URI from appearing on the address bar?
Thanks !
If you are running Apache for your webserver, you can protect it with a username/password combo using .htaccess. It takes a little configuration if your server is not already configured to allow .htaccess. Here are the Apache docs.
If you need authentication based on application-specific factors, you can put something at the top of your script like
<?php
if(!$user->isLoggedIn()) {
// do 404
header('HTTP/1.0 404 Not Found');
}
Do you have a question about how you would implement isLoggedIn?
You can also use mod_rewrite to rewrite URIs, and those directives can go inside your .htaccess as well. mod_rewrite can rewrite incoming requests transparently (from the browser's perspective) so a request for /foo/bar can be translated into secret_script.php/foo/bar. Docs for mod_rewrite.
However you decide to implement this, I would urge you to not rely solely on the fact that your script's name is obscure as a means to secure your application. At the very least, use .htaccess with some per-user authentication, and consider having your application authenticate users as well.
As Jesse says, it's possible to restrict your script to logged in users. There are a large number of questions on this already. Search for PHP authentication.
However, it is not possible to restrict it to a single application. It is fairly simple to use a program like Wireshark to see exactly how the program logs in and makes request. At that point, they can reproduce its behavior manually or in their own application.
There are a variety of different ways that you could go about securing a script. All have pluses and minuses, and its likely that the correct answer for your situation will be a combination of several.
Like mentioned, you could lock down the account with Apache...it's a good start. Similarly, you could build a powerful 'salt-ed' security system such as this: http://www.devarticles.com/c/a/JavaScript/Building-a-CHAP-Login-System-An-ObjectOriented-Approach/ If you use SSL as well, you're essentially getting yourself security like banks use on their websites--not perfect, but certainly not easy to break into.
But there are other ideas to consider too. Park your script in a class file that sits inaccessible via direct URI, then do calls to the various functions from an intermediary view script. Not perfect, but it does limit the ways that someone could directly access the file. Consider adding a "qualifier" to the URL via a simple get--have the script check for the qualifier or fail....again, not a great solution on its own, but one additional layer to dissuade the bad guys. If you have control of who's getting access (know exactly which networks) you could even go so far as to limit the IP's or the http referers that are allowed to access the file. Consider setting and checking cookies, with a clear expiration. Don't forget to set your robots file so the browsers don't stumble upon the script your trying to protect.
A while back my company did a membership app using Delphi on the front end, talking to php and MySql on the backend....it was a bit clunky given that we were all web application developers. If you're so inclined, perhaps Adobe Flex might be an option. But ultimately, you'll have to open a door that the application could talk to, and if someone was determined, theoretically they could dig through your app to find the credentials and use them to gain instant access to the site. If you're going the desktop app route, perhaps its time to consider having the app avoid talking to an intermediary script and do its work on the local machine, communicating the db that sits remote.
you can use deny access on .htaccess on a folder with a php authentification that will redirect to those php file
I am currently working on 2 web servers, One Coldfusion and the other PHP.
Right now, the Coldfusion server is my main server where users log in to access restricted data.
However, I have also begun using a PHP server and want to make it transparent for users to access a specific page on that server - that server requires log in information as well.
I do not want the users to log in twice.
Is there a way to accomplish this ?
Thx
UPDATE: Working in an Intranet environment, so I can't use any public solution.
UPDATE: Reason I am asking for this is because we are moving from a MSQL / Coldfusion environment (Initial server) to a PHP / ORACLE (new server). So I have 2 user tables as well (although they contain mostly the same information).
I am trying to faze out the use of our initial server in favor of our new server transparently to the user and thus I have to work in parallel for the time being.
Most single-sign-on solutions work a bit like this...
Main system authenticates use
User opts initiates a need to move to system 2
Main system authenticates the user with system 2 in the background
System 2 supplies a random, long and disposable token to Main system
Main system redirects the user, with the token, to system 2
System 2 checks the token (and other factors such as IP address) to validate the session
System 2 disposes of the token to ensure it can't be replayed
You would want to ensure that the transmission channels had some security on, especially where Main system and system 2 are talking to each other. You would want that to be a secure transport.
Store sessions in a database, and share them between the two apps.
You could use xml-rpc to get user data and log the user into the other site when they have a login cookie for the first one and vice versa.
Php manual page for XML-rpc
Here is what I have done, in running my own game server, had users on sql server, and on mysql, and wanted to integrate them both.
I made sure that if a user was created on 1 system, was also created on the other.
So you can modify code in both applications, to automatically create a user in other system if it is created on here.
Depending if both servers share a domain, can you do cross-domain sessions or cookies...But my best guess is to store and retreive data...
Or..
as a person logins/registers record their current ip address, on both servers, then check if this person was on the other server within 2-5 minutes, if so, use the ip address to identify them....
This system is tricky because timing is important, so your not leaving a huge hole in your security....But for short term, going between servers, this is simplest solution, in my own opinion.
Good Luck.
If you are on an intranet, you can actually sniff out the network username of the user from the PC they are logged into the network on using PHP. This assumes that:
You are using IIS to host your PHP application.
Your users are using Windows.
Check the section "2.2 Enabling Support for Detecting Usernames" here.
After that, all you need to do is investigate if the same is possible from Coldfusion, and you have the basis of an SSO solution based on the network usernames.
How about implementing an OpenID solution, much like the one apparent on StackOverflow?
You may benefit from dropping a shared object on the client machine via Flash or Flex. This object could then be read from ColdFusion/PHP/Python on servers that otherwise had no connection to each other or access to a common database.
Here is a simple example from the Adobe Docs
Maintain local persistence. This is
the simplest way to use a shared
object, and does not require Flash
Media Server. For example, you can
call SharedObject.getLocal() to create
a shared object in an application,
such as a calculator with memory. When
the user closes the calculator, Flash
Player saves the last value in a
shared object on the user's computer.
The next time the calculator is run,
it contains the values it had
previously. Alternatively, if you set
the shared object's properties to null
before the calculator application is
closed, the next time the application
runs, it opens without any values.
Another example of maintaining local
persistence is tracking user
preferences or other data for a
complex website, such as a record of
which articles a user read on a news
site. Tracking this information allows
you to display articles that have
already been read differently from
new, unread articles. Storing this
information on the user's computer
reduces server load.
Full Information: http://livedocs.adobe.com/flex/3/langref/flash/net/SharedObject.html