Sessioncheck

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

joshm
Forum Newbie
Posts: 15
Joined: Fri Jan 06, 2006 12:25 am
Location: Columbus, Ohio
Contact:

Post by joshm »

timvw wrote:Now here is what i would have done:

Code: Select all

/*
   if(strtolower(md5($_SERVER['SERVER_ADDR']))!='d8c068d81fd577ee1ed71222f87c4953')
    {    
        echo "You are not AUTHORIZED to view this page.";
        //Header("Location:index.php");
         exit;
    } 
*/
Might even consider to completely delete those lines.
yeah, I tried that initially. but other parts of the site require that hash.
joshm
Forum Newbie
Posts: 15
Joined: Fri Jan 06, 2006 12:25 am
Location: Columbus, Ohio
Contact:

Directory Problem

Post by joshm »

OK since you guys were such a huge help with that problem maybe you could help me out with this next one. the way the company built the site my index page is inside a user directory, along with pretty much all the files that go with it and a lot of other stuff. the only way to access the index page from a user standpoint is to type in the exact url of the directory for example http://www.xxx.com/user/ I have tried to move the index page out of the user directory and do a find/replace to make sure the files find everything correctly. I even changed the base file to look for the index in the site directory. All I get are error messages when trying to access the page. I ended up having to create a spash page (which I hate having by the way) then send a link to the correct directory. This is not what we want to do. I have added an image of the directories for anyone who needs a visual like I usually do. Image
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

post error messages please and tell us your directory structure. where do you have your index file now?
joshm
Forum Newbie
Posts: 15
Joined: Fri Jan 06, 2006 12:25 am
Location: Columbus, Ohio
Contact:

Post by joshm »

the index file is in the user directory and the error message is something like error error at http://......../base.php on line 35.
line here is my code for the base.php

Code: Select all

<?php
ob_start();
session_start();
foreach( $HTTP_GET_VARS as $key => $value )
{
	if(strstr($key,"sess") == $key)
	{
		$key = substr($key,4);
		session_register($key);
		$HTTP_SESSION_VARS[$key] = $value;
	}
}
	
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])
{
	$fp = fopen("../site_images/product_images/debugbas.txt","wt");
	$path = $_SERVER['REQUEST_URI'];
	$path = strstr(substr($path,1),"/");
	if($_SERVER['REQUEST_URI'] == $_SERVER['PHP_SELF'])
		$path = $path . "?param=1";
	while (list ($key, $val) = each ($HTTP_SESSION_VARS)) 
	{
    	$path .= "&sess" . $key . "=" . urlencode($val);
	}
	fwrite($fp,"Location: http://xxxxx.com" . $path);
	fclose($fp);
	header("Location: http://xxxxx.com" . $path);
	exit();
}

//Modified @ 10th October
//Modified by Abdul Samad
//Get All Site Settings
include_once('../sources/html.php');
$html = new Html();

include_once('../sources/gpc_filter.php');
$gpc = new GPCFilter();

?>
<BASE id='mainbase' href='http://xxxx.com/user/'>
<SCRIPT>
function GetBase()
{
   var bas;
   bas = document.getElementById('mainbase');
   return (bas.href);
}
</SCRIPT>
But I'm not getting the error message now because the index fiel is in the user directory. But we want people to be able to just type in our .com name and be able to go to the site without a splah page, and without the need to type in the user directory name.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

If you want to move it out of user directory then you have to change the path in all files where you are calling the index.html from.

The easiest solution would be create an index.html file outside the users directory and offer a redirection to this index.html in user directory.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

The best solution for redirects is to configure Apache (or which ever web server) to issue a 301(Moved permanently) to the new location - SEO don't like meta/header redirects and thus will damage your SEO rating.

Code: Select all

redirect 301 http://www.yoursite.com/ http://www.yoursite.com/user
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Re: Sessioncheck

Post by shiflett »

joshm wrote:We had a website built for us, and got screwed so I am left to figure things out on my own.
Sorry to hear that. Just for fun, I reversed that MD5:

82.165.130.142

What they're trying to do is make sure this code only works when it is running on a server with that IP. I agree with timvw - just remove it:

Code: Select all

<?php

session_start();

if (!isset($_SESSION['sesadmin']))
{
    include './index.php';
    exit;
}

?>
Of course, I understand your hesitation to remove a lot of code without knowing exactly what's going on, so replacing the hash seems fine for now. Just keep this limitation in the back of your mind - if your IP ever changes for any reason, you'll need to do the same replacements.

As for your second question, can you clarify whether the http://www.xxx.com domain is hosting more than one web site? If it isn't, you can do one of the following:

1. Move everything up one directory.
2. Make your document root the user directory.

We can help with details about how to take either of these approaches. I would prefer this over any redirecting, because your URLs won't have that unnecessary user directory in them. Jenk's right about the SEO stuff, but hopefully this is a new site, so your URL structure isn't known. It's rarely a good idea to break links, but we can also help with ways to get around that, too. :-)

Hope that helps.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Reversed or brute-forced the MD5?
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

Jenk wrote:Reversed or brute-forced the MD5?
I brute forced it.

I was trying to refrain from using any lingo, and I was misleading instead. My apologies. :-)

If you're at all curious, I wrote this little script last night, and my answer was waiting for me this morning:

Code: Select all

<?php
                                                                                
$counter = 0;
                                                                                
for ($one = 1; $one < 255; $one++)
{
    for ($two = 1; $two < 255; $two++)
    {
        for ($three = 1; $three < 255; $three++)
        {
            for ($four = 1; $four < 255; $four++)
            {
                $counter++;
                                                                                
                if ($counter % 100000 == 0)
                {
                    echo "$counter IPs tried.\n";
                }
                                                                                
                if (md5("$one.$two.$three.$four") == 'd8c068d81fd577ee1ed71222f87c4953')
                {
                    echo "Original is $one.$two.$three.$four.\n";
                    exit;
                }
            }
        }
    }
}
                                                                                
?>
I didn't time it, so I have no idea how long it took. Here are the last five lines of output:

Code: Select all

1337600000 IPs tried.
1337700000 IPs tried.
1337800000 IPs tried.
1337900000 IPs tried.
Original is 82.165.130.142.
I bet there are more efficient ways to brute force this, and skipping both 0 and 255 for each octet may not have been a safe bet.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

Its funny that it doesnt matter what hash you use if the originating data is known or at least can be pinpointed.

Thats why you normaly include a secret passphrase to such hashes ;)
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

I do not think there is really a necessity to md5 the ip address. You just want to make sure that the requests are from the valid server, it does not really make any difference if you hash it or not. If you hash it, you make it unreadable, but to whom...developers...they already know it....
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

AGISB wrote:Its funny that it doesnt matter what hash you use if the originating data is known or at least can be pinpointed.

Thats why you normaly include a secret passphrase to such hashes
Very true, but that wouldn't have helped in this case. Since we have the code that's doing the comparison, it doesn't matter what the code does. We just need to reproduce it.
raghavan20 wrote:I do not think there is really a necessity to md5 the ip address. You just want to make sure that the requests are from the valid server, it does not really make any difference if you hash it or not.
It's true that there is very little value in what was done. I think it's just a weak attempt to write code for a client that the client cannot run without making some slight modifications. The MD5 hash is slightly less obvious than an IP address.

This is a tactic frequently debated among PHP developers, and I've heard both sides of the story plenty of times. Often, PHP developers get screwed by clients when they don't have solid contracts in place. Imagine completing a project for a client (with whom you felt you had a strong relationship) in an environment where the client has access to your code. Now, imagine that the client takes the code when you're done, uses it, but never pays you for your work. This is, sadly, a very common situation.

There are both legal and technical protections against such an event. Everyone agrees that the legal protections are most important, but some opt to also use some technical protections (because that's an area where they feel more comfortable, they never want to resort to suing someone for payment, etc.).

At the risk of getting too off-topic, I'll stop here. :-) If anyone wants to discuss and/or debate this further, please point me to the appropriate place, because I'm interested (and have some experience, since I run a PHP consultancy).
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

shiflett wrote: Often, PHP developers get screwed by clients when they don't have solid contracts in place. Imagine completing a project for a client (with whom you felt you had a strong relationship) in an environment where the client has access to your code. Now, imagine that the client takes the code when you're done, uses it, but never pays you for your work. This is, sadly, a very common situation.
That is exactly the reason why i didn't answer the OP question right on. As soon as others suggested to modify the md5 checksum there was no point in remaining silent.
shiflett wrote: There are both legal and technical protections against such an event. Everyone agrees that the legal protections are most important, but some opt to also use some technical protections (because that's an area where they feel more comfortable, they never want to resort to suing someone for payment, etc.).
I believe odds are quite hight that such an employer would simply take the existing code to a new coder and try to play the same trick on him. That's why i advise to be extra careful when they show up with already existing code. How did they acquire it? What happened with the original developper? ...

shiflett wrote: At the risk of getting too off-topic, I'll stop here. :-) If anyone wants to discuss and/or debate this further, please point me to the appropriate place, because I'm interested (and have some experience, since I run a PHP consultancy).
I've got the feeling this has a better place in the business forum, but one of the mods will beam us as soon as they think the same ;)
joshm
Forum Newbie
Posts: 15
Joined: Fri Jan 06, 2006 12:25 am
Location: Columbus, Ohio
Contact:

all of the above

Post by joshm »

In response to just about everyone's conversation about why PHP developers do that: In our case I can tell you exactly why they did that. We have a small project and a huge project. The small project which was recently completed cost us around $6,000, and the larger project was quoted us at aroun $130,000. We told the company that we were looking for a company that could handle the larger project, and that if they did a good job on the smaller one they would get the larger one. Needless to say they were pretty much depending on the larger project, and they just assumed that we would be hosting our site with them. When we told them we were not hosting with them about 5/8ths through the project they were mad. They had never asked us who we were planning on hosting with they just assumed. After our last payment was made they started to drag their feet (this is after they gave us a time guarantee). Time went on and on. Finally we just said give us what you have now, and we will see you in court. So, basically that's where we are now. And it's been a pain in my butt. I'm good with computers, I'm a Computer animation Major, but I'm no coder. I can deal with html, but past that I get lost. But again thanks to everyone for all the help. I think we might just have to hire someone to deal with the directory issue. Thanks again.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

shiflett wrote:I didn't time it, so I have no idea how long it took. Here are the last five lines of output:
You could have at least cut the time in half that it took by not using double quotes ( your script is about the only code I've ever seen where it would really make that big of a difference, heh)

I was also going to say an even faster way would be to PM the OP, and get the domain of his original site and ping it, but it probably didn't even have a domain anyways.
Post Reply