Hide pages from users and search engines

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
sebaro
Forum Newbie
Posts: 7
Joined: Sat Jan 17, 2009 2:34 am

Hide pages from users and search engines

Post by sebaro »

Hi

My site is just a php file, index.php.
The site pages are made using GET, ?action=page.

Code: Select all

 
$action = $_GET['action'];
if(isset($action)) {
    if ($action == 'admin') {
        admin('admin');
    }
...
function admin($page) {
    if ($page == 'admin') {
           echo "<form action='?action=admin' method='post'>";
...
 
I don't want 'mysite.com/?action=admin' to be seen by users and search engines.
User can't see it unless they guess that page, but search engines found it (live.com).
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Hide pages from users and search engines

Post by jaoudestudios »

Use html meta tag to stop bots indexing that page.
User avatar
sebaro
Forum Newbie
Posts: 7
Joined: Sat Jan 17, 2009 2:34 am

Re: Hide pages from users and search engines

Post by sebaro »

My site is only a file/page: index.php
so the meta tags are for the entire site.

To browse the site, users use
mysite.com/index.php?action=showpage1
mysite.com/index.php?action=showpage2
etc
which only change the page content, not a whole html page

Code: Select all

 
<html>
<head></head>
<body>
mysite.com/index.php?action=showpage1
mysite.com/index.php?action=showpage2
<?php
$content = $_GET['action'];
if ($content == "showpage1") {
   echo "page1";
}
...
?>
</body>
</html>
 
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide pages from users and search engines

Post by kaisellgren »

Search engines are just like visitors. They make a HTTP request and get a response. If you want to hide the page, make sure you never output your secret page name in any form and use unguessable name for the page.
User avatar
sebaro
Forum Newbie
Posts: 7
Joined: Sat Jan 17, 2009 2:34 am

Re: Hide pages from users and search engines

Post by sebaro »

kaisellgren wrote:Search engines are just like visitors. They make a HTTP request and get a response. If you want to hide the page, make sure you never output your secret page name in any form and use unguessable name for the page.
The admin page is in a form action.

mysite.com/?action=admin contains the form:

<form action=mysite.com/?action=admin>
</form>

but this form is shown only when opening the admin link

so how did live.com found it?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide pages from users and search engines

Post by kaisellgren »

sebaro wrote:
kaisellgren wrote:Search engines are just like visitors. They make a HTTP request and get a response. If you want to hide the page, make sure you never output your secret page name in any form and use unguessable name for the page.
The admin page is in a form action.

mysite.com/?action=admin contains the form:

<form action=mysite.com/?action=admin>
</form>

but this form is shown only when opening the admin link

so how did live.com found it?
You output it somewhere. There is some place you did not find, because the search engine bot crawls your page and reads entire contents you output. If you have the admin page outputted anywhere it's being taken by the bot.

Often people have a file robots.txt and place disallow admin/ or something like that to prevent bots from indexing them. That's kind of stupid in my opinion since this way you reveal the actual location of your admin control panel. When I crack someone's website, the very first thing I do is I type site.com/robots.txt :) -- of course I only crack my friends' websites and companies' websites and that is because they always ask me to :twisted:
User avatar
sebaro
Forum Newbie
Posts: 7
Joined: Sat Jan 17, 2009 2:34 am

Re: Hide pages from users and search engines

Post by sebaro »

kaisellgren wrote: Often people have a file robots.txt and place disallow admin/ or something like that to prevent bots from indexing them. That's kind of stupid in my opinion since this way you reveal the actual location of your admin control panel. When I crack someone's website, the very first thing I do is I type site.com/robots.txt :) -- of course I only crack my friends' websites and companies' websites and that is because they always ask me to :twisted:
That's why I don't use robots.txt to prevent indexing.
kaisellgren wrote: If you have the admin page outputted anywhere it's being taken by the bot.
The admin page/link is not outputted anywhere, only on the admin page
mysite.com/?action=admin. So you have to know this link, or have access to the php source code to see it.
When I built the sitemap using an online sitemap creator, it didn't find my admin link/page.
But live.com somehow did.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide pages from users and search engines

Post by kaisellgren »

sebaro wrote:
kaisellgren wrote: Often people have a file robots.txt and place disallow admin/ or something like that to prevent bots from indexing them. That's kind of stupid in my opinion since this way you reveal the actual location of your admin control panel. When I crack someone's website, the very first thing I do is I type site.com/robots.txt :) -- of course I only crack my friends' websites and companies' websites and that is because they always ask me to :twisted:
That's why I don't use robots.txt to prevent indexing.
kaisellgren wrote: If you have the admin page outputted anywhere it's being taken by the bot.
The admin page/link is not outputted anywhere, only on the admin page
mysite.com/?action=admin. So you have to know this link, or have access to the php source code to see it.
When I built the sitemap using an online sitemap creator, it didn't find my admin link/page.
But live.com somehow did.
Maybe it does not reveal it anymore, but it used to. Other than that, I can't really point out anything since I do not even have your script.
User avatar
sebaro
Forum Newbie
Posts: 7
Joined: Sat Jan 17, 2009 2:34 am

Re: Hide pages from users and search engines

Post by sebaro »

kaisellgren wrote: Maybe it does not reveal it anymore, but it used to. Other than that, I can't really point out anything since I do not even have your script.
OK, Thanks.

My script is simple, like this:

Code: Select all

 
<html>
<head></head>
<body>
<?php
 
function content($cont) {
    if ($cont == "viewpage1") {
        echo "page1";
    }
    elseif ($cont == "viewpage2") {
        echo "page2";
    }
    ...
}
 
function admin($page) {
    if ($page == "admin_users") {
        $postuser = $_POST['user'];
        $query = "";
        $result = mysql_query($query);
        echo "<form action='?action=admin_users' method='post'>";
        ...
        echo "</form>";
    }
    if ($page == "admin_comments") {
        $postcomm = $_POST['comm'];
        $query = "";
        $result = mysql_query($query);
        echo "<form action='?action=admin_comments' method='post'>";
        ...
        echo "</form>";
    }
}
 
$action = $_GET['action'];
if(isset($action)) {
    if ($action == 'admin_users') {
        admin('adm_users');
    }
    elseif ($action == 'admin_comments') {
        admin('adm_comments');
    }
    elseif ($action == 'viewpage1') {
        content('viewpage1');   
    }
    elseif ($action == 'viewpage2') {
        content('viewpage2');   
    }
    ... 
?>
</body>
</html>
 
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide pages from users and search engines

Post by kaisellgren »

You should have protection that prevents third parties from getting into your admin system. Hiding it alone is not considered safe.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Re: Hide pages from users and search engines

Post by Burrito »

Just redirect from your admin page if users aren't logged in. A bot will follow the redirect just like a regular user browsing your site.
User avatar
sebaro
Forum Newbie
Posts: 7
Joined: Sat Jan 17, 2009 2:34 am

Re: Hide pages from users and search engines

Post by sebaro »

kaisellgren wrote:You should have protection that prevents third parties from getting into your admin system. Hiding it alone is not considered safe.
Of course, the admin page is password protected.
User avatar
sebaro
Forum Newbie
Posts: 7
Joined: Sat Jan 17, 2009 2:34 am

Re: Hide pages from users and search engines

Post by sebaro »

Burrito wrote:Just redirect from your admin page if users aren't logged in. A bot will follow the redirect just like a regular user browsing your site.
The admin page asks for admin user & password.
But I don't want users or search engines to know this page.
I think is safer.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide pages from users and search engines

Post by kaisellgren »

sebaro wrote:
Burrito wrote:Just redirect from your admin page if users aren't logged in. A bot will follow the redirect just like a regular user browsing your site.
The admin page asks for admin user & password.
But I don't want users or search engines to know this page.
I think is safer.
Make your site safe, do not try to hide it. Many vulnerabilities will give the information (location) to the attacker.
Post Reply