Page 2 of 2
Posted: Wed Jan 18, 2006 3:41 am
by joshm
timvw wrote:Now here is what i would have done:
Code: Select all
/*
if(strtolower(md5($_SERVER['SERVER_ADDR']))!='d8c068d81fd577ee1ed71222f87c4953')
{
echo "You are not AUTHORIZED to view this page.";
//Header("Location:index.php");
exit;
}
*/
Might even consider to completely delete those lines.
yeah, I tried that initially. but other parts of the site require that hash.
Directory Problem
Posted: Wed Jan 18, 2006 3:58 am
by joshm
OK since you guys were such a huge help with that problem maybe you could help me out with this next one. the way the company built the site my index page is inside a user directory, along with pretty much all the files that go with it and a lot of other stuff. the only way to access the index page from a user standpoint is to type in the exact url of the directory for example
http://www.xxx.com/user/ I have tried to move the index page out of the user directory and do a find/replace to make sure the files find everything correctly. I even changed the base file to look for the index in the site directory. All I get are error messages when trying to access the page. I ended up having to create a spash page (which I hate having by the way) then send a link to the correct directory. This is not what we want to do. I have added an image of the directories for anyone who needs a visual like I usually do.

Posted: Wed Jan 18, 2006 4:21 am
by raghavan20
post error messages please and tell us your directory structure. where do you have your index file now?
Posted: Wed Jan 18, 2006 4:35 am
by joshm
the index file is in the user directory and the error message is something like error error at http://......../base.php on line 35.
line here is my code for the base.php
Code: Select all
<?php
ob_start();
session_start();
foreach( $HTTP_GET_VARS as $key => $value )
{
if(strstr($key,"sess") == $key)
{
$key = substr($key,4);
session_register($key);
$HTTP_SESSION_VARS[$key] = $value;
}
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])
{
$fp = fopen("../site_images/product_images/debugbas.txt","wt");
$path = $_SERVER['REQUEST_URI'];
$path = strstr(substr($path,1),"/");
if($_SERVER['REQUEST_URI'] == $_SERVER['PHP_SELF'])
$path = $path . "?param=1";
while (list ($key, $val) = each ($HTTP_SESSION_VARS))
{
$path .= "&sess" . $key . "=" . urlencode($val);
}
fwrite($fp,"Location: http://xxxxx.com" . $path);
fclose($fp);
header("Location: http://xxxxx.com" . $path);
exit();
}
//Modified @ 10th October
//Modified by Abdul Samad
//Get All Site Settings
include_once('../sources/html.php');
$html = new Html();
include_once('../sources/gpc_filter.php');
$gpc = new GPCFilter();
?>
<BASE id='mainbase' href='http://xxxx.com/user/'>
<SCRIPT>
function GetBase()
{
var bas;
bas = document.getElementById('mainbase');
return (bas.href);
}
</SCRIPT>
But I'm not getting the error message now because the index fiel is in the user directory. But we want people to be able to just type in our .com name and be able to go to the site without a splah page, and without the need to type in the user directory name.
Posted: Wed Jan 18, 2006 4:48 am
by raghavan20
If you want to move it out of user directory then you have to change the path in all files where you are calling the index.html from.
The easiest solution would be create an index.html file outside the users directory and offer a redirection to this index.html in user directory.
Posted: Wed Jan 18, 2006 5:38 am
by Jenk
The best solution for redirects is to configure Apache (or which ever web server) to issue a 301(Moved permanently) to the new location - SEO don't like meta/header redirects and thus will damage your SEO rating.
Code: Select all
redirect 301 http://www.yoursite.com/ http://www.yoursite.com/user
Re: Sessioncheck
Posted: Wed Jan 18, 2006 8:21 am
by shiflett
joshm wrote:We had a website built for us, and got screwed so I am left to figure things out on my own.
Sorry to hear that. Just for fun, I reversed that MD5:
82.165.130.142
What they're trying to do is make sure this code only works when it is running on a server with that IP. I agree with timvw - just remove it:
Code: Select all
<?php
session_start();
if (!isset($_SESSION['sesadmin']))
{
include './index.php';
exit;
}
?>
Of course, I understand your hesitation to remove a lot of code without knowing exactly what's going on, so replacing the hash seems fine for now. Just keep this limitation in the back of your mind - if your IP ever changes for any reason, you'll need to do the same replacements.
As for your second question, can you clarify whether the
http://www.xxx.com domain is hosting more than one web site? If it isn't, you can do one of the following:
1. Move everything up one directory.
2. Make your document root the user directory.
We can help with details about how to take either of these approaches. I would prefer this over any redirecting, because your URLs won't have that unnecessary user directory in them. Jenk's right about the SEO stuff, but hopefully this is a new site, so your URL structure isn't known. It's rarely a good idea to break links, but we can also help with ways to get around that, too. :-)
Hope that helps.
Posted: Wed Jan 18, 2006 8:30 am
by Jenk
Reversed or brute-forced the MD5?
Posted: Wed Jan 18, 2006 8:41 am
by shiflett
Jenk wrote:Reversed or brute-forced the MD5?
I brute forced it.
I was trying to refrain from using any lingo, and I was misleading instead. My apologies. :-)
If you're at all curious, I wrote this little script last night, and my answer was waiting for me this morning:
Code: Select all
<?php
$counter = 0;
for ($one = 1; $one < 255; $one++)
{
for ($two = 1; $two < 255; $two++)
{
for ($three = 1; $three < 255; $three++)
{
for ($four = 1; $four < 255; $four++)
{
$counter++;
if ($counter % 100000 == 0)
{
echo "$counter IPs tried.\n";
}
if (md5("$one.$two.$three.$four") == 'd8c068d81fd577ee1ed71222f87c4953')
{
echo "Original is $one.$two.$three.$four.\n";
exit;
}
}
}
}
}
?>
I didn't time it, so I have no idea how long it took. Here are the last five lines of output:
Code: Select all
1337600000 IPs tried.
1337700000 IPs tried.
1337800000 IPs tried.
1337900000 IPs tried.
Original is 82.165.130.142.
I bet there are more efficient ways to brute force this, and skipping both 0 and 255 for each octet may not have been a safe bet.
Posted: Wed Jan 18, 2006 10:13 am
by AGISB
Its funny that it doesnt matter what hash you use if the originating data is known or at least can be pinpointed.
Thats why you normaly include a secret passphrase to such hashes

Posted: Wed Jan 18, 2006 10:15 am
by raghavan20
I do not think there is really a necessity to md5 the ip address. You just want to make sure that the requests are from the valid server, it does not really make any difference if you hash it or not. If you hash it, you make it unreadable, but to whom...developers...they already know it....
Posted: Wed Jan 18, 2006 11:08 am
by shiflett
AGISB wrote:Its funny that it doesnt matter what hash you use if the originating data is known or at least can be pinpointed.
Thats why you normaly include a secret passphrase to such hashes
Very true, but that wouldn't have helped in this case. Since we have the code that's doing the comparison, it doesn't matter what the code does. We just need to reproduce it.
raghavan20 wrote:I do not think there is really a necessity to md5 the ip address. You just want to make sure that the requests are from the valid server, it does not really make any difference if you hash it or not.
It's true that there is very little value in what was done. I think it's just a weak attempt to write code for a client that the client cannot run without making some slight modifications. The MD5 hash is slightly less obvious than an IP address.
This is a tactic frequently debated among PHP developers, and I've heard both sides of the story plenty of times. Often, PHP developers get screwed by clients when they don't have solid contracts in place. Imagine completing a project for a client (with whom you felt you had a strong relationship) in an environment where the client has access to your code. Now, imagine that the client takes the code when you're done, uses it, but never pays you for your work. This is, sadly, a very common situation.
There are both legal and technical protections against such an event. Everyone agrees that the legal protections are most important, but some opt to also use some technical protections (because that's an area where they feel more comfortable, they never want to resort to suing someone for payment, etc.).
At the risk of getting too off-topic, I'll stop here. :-) If anyone wants to discuss and/or debate this further, please point me to the appropriate place, because I'm interested (and have some experience, since I run a PHP consultancy).
Posted: Wed Jan 18, 2006 2:00 pm
by timvw
shiflett wrote:
Often, PHP developers get screwed by clients when they don't have solid contracts in place. Imagine completing a project for a client (with whom you felt you had a strong relationship) in an environment where the client has access to your code. Now, imagine that the client takes the code when you're done, uses it, but never pays you for your work. This is, sadly, a very common situation.
That is exactly the reason why i didn't answer the OP question right on. As soon as others suggested to modify the md5 checksum there was no point in remaining silent.
shiflett wrote:
There are both legal and technical protections against such an event. Everyone agrees that the legal protections are most important, but some opt to also use some technical protections (because that's an area where they feel more comfortable, they never want to resort to suing someone for payment, etc.).
I believe odds are quite hight that such an employer would simply take the existing code to a new coder and try to play the same trick on him. That's why i advise to be extra careful when they show up with already existing code. How did they acquire it? What happened with the original developper? ...
shiflett wrote:
At the risk of getting too off-topic, I'll stop here.

If anyone wants to discuss and/or debate this further, please point me to the appropriate place, because I'm interested (and have some experience, since I run a PHP consultancy).
I've got the feeling this has a better place in the business forum, but one of the mods will beam us as soon as they think the same

all of the above
Posted: Wed Jan 18, 2006 10:35 pm
by joshm
In response to just about everyone's conversation about why PHP developers do that: In our case I can tell you exactly why they did that. We have a small project and a huge project. The small project which was recently completed cost us around $6,000, and the larger project was quoted us at aroun $130,000. We told the company that we were looking for a company that could handle the larger project, and that if they did a good job on the smaller one they would get the larger one. Needless to say they were pretty much depending on the larger project, and they just assumed that we would be hosting our site with them. When we told them we were not hosting with them about 5/8ths through the project they were mad. They had never asked us who we were planning on hosting with they just assumed. After our last payment was made they started to drag their feet (this is after they gave us a time guarantee). Time went on and on. Finally we just said give us what you have now, and we will see you in court. So, basically that's where we are now. And it's been a pain in my butt. I'm good with computers, I'm a Computer animation Major, but I'm no coder. I can deal with html, but past that I get lost. But again thanks to everyone for all the help. I think we might just have to hire someone to deal with the directory issue. Thanks again.
Posted: Thu Jan 19, 2006 12:53 am
by josh
shiflett wrote:I didn't time it, so I have no idea how long it took. Here are the last five lines of output:
You could have at least cut the time in half that it took by not using double quotes ( your script is about the only code I've ever seen where it would really make that big of a difference, heh)
I was also going to say an even faster way would be to PM the OP, and get the domain of his original site and ping it, but it probably didn't even have a domain anyways.