Hide or prevent a page, a folder from users

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
morris520
Forum Commoner
Posts: 60
Joined: Thu Sep 18, 2008 8:56 pm
Location: Manchester UK

Hide or prevent a page, a folder from users

Post by morris520 »

Hi

I met a problem unsolved and want to put it here though it is not much PHP-related.

I have a folder in my server called ../a/
and in the folder there are view.php, update.php and delete.php

update and delete page actually make changes to the database so I want to find out a way to prevent user to access it.

But in case users know the actual address, like http://www.example.com/a/update.php, and they key in. they can still access to the page and the code is still running. So any hints to achieve that?

Also they can access to the folder "a" to have a look at what files are store. Then they can click that file to have access. This will make my site easily to hack.

So anyone can provide me a help?
Many thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide or prevent a page, a folder from users

Post by kaisellgren »

Make a session based system where a valid login is needed to execute those operations.
aibanez
Forum Newbie
Posts: 4
Joined: Wed Jan 14, 2009 4:29 pm

Re: Hide or prevent a page, a folder from users

Post by aibanez »

Can you resolve your problem???

I have the same problem and I think that the session based system is not the solution .. What if I want to make the system/site available for any person??? but I need to protect the individual execution of some scripts???
Of course the user needs to know the name of the scripts an it's location but this things may happen

Cheers!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide or prevent a page, a folder from users

Post by kaisellgren »

aibanez wrote:Can you resolve your problem???

I have the same problem and I think that the session based system is not the solution .. What if I want to make the system/site available for any person??? but I need to protect the individual execution of some scripts???
Of course the user needs to know the name of the scripts an it's location but this things may happen

Cheers!
Theoretically it's always possible to find out the files if they are within the document root. Just protect them with a password and use sessions so that the user does not need to type the password constantly.
User avatar
morris520
Forum Commoner
Posts: 60
Joined: Thu Sep 18, 2008 8:56 pm
Location: Manchester UK

Re: Hide or prevent a page, a folder from users

Post by morris520 »

kaisellgren wrote:
aibanez wrote:Can you resolve your problem???

I have the same problem and I think that the session based system is not the solution .. What if I want to make the system/site available for any person??? but I need to protect the individual execution of some scripts???
Of course the user needs to know the name of the scripts an it's location but this things may happen

Cheers!
Theoretically it's always possible to find out the files if they are within the document root. Just protect them with a password and use sessions so that the user does not need to type the password constantly.

I guess kai will suggest these codes?

Code: Select all

 
session_start();
 
if(!isset($_SESSION['admin'])) // if the user is not admin
{
      header(location: index.php);  // redirect to the index page
}
 
 
Is this a problem when it is a file to be included? This works and users cant actually get the page, like what does in sending forms. Another other approach?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Hide or prevent a page, a folder from users

Post by Mordred »

This is a good approach, use it.
After the header('Location ...) line put an exit(), or the rest of the script will continue executing...
aibanez
Forum Newbie
Posts: 4
Joined: Wed Jan 14, 2009 4:29 pm

Re: Hide or prevent a page, a folder from users

Post by aibanez »

I think that ths is a good approach too.
Just in case... I was used to create an Index.php in the different directories .. so when a user types in the browser http://www.example.com/a/ the blank index.php is displayed and the content of the diretory is not displayed.
What do you think????
I'm a very begginer on PHP.... :wink:
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide or prevent a page, a folder from users

Post by kaisellgren »

aibanez wrote:I think that ths is a good approach too.
Just in case... I was used to create an Index.php in the different directories .. so when a user types in the browser http://www.example.com/a/ the blank index.php is displayed and the content of the diretory is not displayed.
What do you think????
I'm a very begginer on PHP.... :wink:
Well it's the only proper approach if you can not put the files outside the public root directory. Well, of course classic "enter password" is sufficient, but I doubt you want to retype the password each time -- so you need to create a system that is somewhat similar to PHP's built-in Session system -- or use the built-in session system which is recommended for beginners.

If the files under /a/ are protected properly, it does not matter whether you have index.php file or not. If the attacker accesses the /a/ he gets nothing according to your case. Now the attacker knows the folder exists since it gives him nothing instead of a 404 error. You could of course copy the very same 404 error your server generates and put it inside the index.php and thus making the cracker unaware of the folder's existence. However, if you are writing a script that is going to be run on different servers (an open script available to download) then you can't know how the 404 error pages look. I've been trying to get around this without success, I've tried to read Apache default 404 files and use PHP to output those, but there are lots of trials and errors and they are not really worth it.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide or prevent a page, a folder from users

Post by kaisellgren »

morris520 wrote:I guess kai will suggest these codes?

Code: Select all

 
session_start();
 
if(!isset($_SESSION['admin'])) // if the user is not admin
{
      header(location: index.php);  // redirect to the index page
}
 
 
Is this a problem when it is a file to be included? This works and users cant actually get the page, like what does in sending forms. Another other approach?
Yes Kai suggests that approach. :)

But be aware, that code alone is not safe -- just the approach itself. exit() after header() like Mordred said, also search for Session Hijacking, Session Fixation, CSRF to furthern protect yourself.
aibanez
Forum Newbie
Posts: 4
Joined: Wed Jan 14, 2009 4:29 pm

Re: Hide or prevent a page, a folder from users

Post by aibanez »

Sorry for the basic doubts but I'm not a programmer or computer science professional, but I have tried with the code if(!isset($_SESSION['admin'])) ... etc. placed in the scripts that I want to protect, example my site has an s.php file that I don't want to be executed directly but my index.php "calls" the s.php file when the user navigate "normally" , putting the #protecting" code in the s.php file the user is always redirected to index.php.

My site does not need a user autenthication.

Can anybody help with some examples to achieve what I need???

Thank you in advance
User avatar
morris520
Forum Commoner
Posts: 60
Joined: Thu Sep 18, 2008 8:56 pm
Location: Manchester UK

Re: Hide or prevent a page, a folder from users

Post by morris520 »

aibanez wrote:Sorry for the basic doubts but I'm not a programmer or computer science professional, but I have tried with the code if(!isset($_SESSION['admin'])) ... etc. placed in the scripts that I want to protect, example my site has an s.php file that I don't want to be executed directly but my index.php "calls" the s.php file when the user navigate "normally" , putting the #protecting" code in the s.php file the user is always redirected to index.php.

My site does not need a user autenthication.

Can anybody help with some examples to achieve what I need???

Thank you in advance
Maybe the only and easiest way to do is to hide the actual location from users. I just found you can put a index.php/html/asp to your folder to prevent users seeing your whole directory.

Then you need to deal with your form pages. Hide the processing page like update.php maybe adding some md5 to the tail to be come update.php?sdrjlxjclf42dfg so users can never try to guess the real address.

I've got the same problem with you. I don't actually need a username and password to execute SESSION approach. So I figure out this. Hope that helps.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide or prevent a page, a folder from users

Post by kaisellgren »

aibanez wrote:Sorry for the basic doubts but I'm not a programmer or computer science professional, but I have tried with the code if(!isset($_SESSION['admin'])) ... etc. placed in the scripts that I want to protect, example my site has an s.php file that I don't want to be executed directly but my index.php "calls" the s.php file when the user navigate "normally" , putting the #protecting" code in the s.php file the user is always redirected to index.php.

My site does not need a user autenthication.
Why on earth are you using $_SESSION if you do not need user authentication?
morris520 wrote:Maybe the only and easiest way to do is to hide the actual location from users. I just found you can put a index.php/html/asp to your folder to prevent users seeing your whole directory.

Then you need to deal with your form pages. Hide the processing page like update.php maybe adding some md5 to the tail to be come update.php?sdrjlxjclf42dfg so users can never try to guess the real address.

I've got the same problem with you. I don't actually need a username and password to execute SESSION approach. So I figure out this. Hope that helps.
Index.php will "remove" the directory index if the server is configured to do so which most likely is the case.

So you do not require any passwords to run actions of your forms, I guess the form is then a public form like a registration form, login form, etc? If so, why do you need to hide the file where the form data is sent to. If you have a form then an attacker always knows the file the form is sent to. Obviously.

I do not understand what you both are trying to achieve. Maybe you could provide us "real life" explanation of your website like what files do you have and what they do.
Post Reply