Lock Script to Domain

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

idllc
Forum Newbie
Posts: 5
Joined: Thu Dec 04, 2008 8:51 am

Lock Script to Domain

Post by idllc »

I am trying to find the code to lock a script to a domain prior to encrypting a file. Something that just verifies the script is on the correct url.
Thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Lock Script to Domain

Post by kaisellgren »

Code: Select all

$_ENV['HTTP_HOST']
Will contain the domain name.

Then compare it to the target domain name.

And encode your script with Zend Guard, for instance.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Lock Script to Domain

Post by Mordred »

No, it won't work.

1. It's $_SERVER['HTTP_HOST'], maybe in some setups you can have the http headers in ENV, but the canonical place is $_SERVER.

Also, HTTP_HOST is the contents of the Host: header as sent by the client. The correct variable to use is SERVER_NAME, which reflects the vhost name on the server.

2. The check is trivial to bypass:

Code: Select all

//pirate.php
$_SERVER['SERVER_NAME'] = 'legitimate.host.com';
include('encrypted.php');
In reality this is a hard thing to do correctly, a better way of protection may be with a legally binding contract that prohibits re-selling of your code and/or some under-the-table (or "blackhat" if you prefer) techniques to make sure you can stop pirates.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Lock Script to Domain

Post by Benjamin »

Mordred wrote:2. The check is trivial to bypass:
Doesn't work so well when all of the sites URL's are created from that value. LOL.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Lock Script to Domain

Post by Apollo »

If you don't mind an extra dependency on an external server of your own: in the protected script, you retrieve a (time limited) decryption key (through https) from some authentication server (or multiple servers, to keep things working when one goes down). The key is necessary to decrypt an essential part of the protected code. Your server only returns the correct key if the request is made from the allowed server / IP.

Of course the key-retrieval-and-decryption part should also be encrypted itself, with a generic method like Zend Guard. And it isn't 100% safe, it just helps.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Lock Script to Domain

Post by kaisellgren »

Mordred wrote:The correct variable to use is SERVER_NAME, which reflects the vhost name on the server.
Doesn't work here.. it's just empty. HTTP_HOST, however, will not change even if I modify my headers. Are you sure? Well, it makes sense, actually. Any HTTP_* should be modifieable. Maybe my configuration is messed up then.

Btw, the $_ENV with SERVER_NAME is portable. Worked with IIS, Apache, nginx and Lighttpd. It also works in both CGI and as an Apache handler, but $_SERVER does not always work that great. Try IIS 7.5 x64, PHP 5.2.8 x64, XCache x64 and now fire up your $_SERVER['SERVER_NAME'] and enjoy ;)
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Lock Script to Domain

Post by Apollo »

Another one which is probably less easy to overwrite, is the HTTP host header sent by the client:

Code: Select all

$headers = apache_request_headers();
$host = $headers['Host']; // if this ain't "www.TheAllowedDomain.com", refuse to run your script
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Lock Script to Domain

Post by kaisellgren »

Apollo wrote:Another one which is probably less easy to overwrite, is the HTTP host header sent by the client:

Code: Select all

$headers = apache_request_headers();
$host = $headers['Host']; // if this ain't "www.TheAllowedDomain.com", refuse to run your script
Since the value comes from the request, it's easy to circumvent that "protection" :P
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Lock Script to Domain

Post by Apollo »

kaisellgren wrote:Since the value comes from the request, it's easy to circumvent that "protection" :P
Sure, but that would assume visitors joining in on abusing the script on the unauthorized server, right? Or do you mean something else?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Lock Script to Domain

Post by kaisellgren »

Apollo wrote:
kaisellgren wrote:Since the value comes from the request, it's easy to circumvent that "protection" :P
Sure, but that would assume visitors joining in on abusing the script on the unauthorized server, right? Or do you mean something else?
I'm saying that if you want your script to work on a specific website (e.g. you are selling your script and the license applies to certain sites only), then the script is actually usable to certain extent if you are able to "modify" the domain name. For example, some scripts are only one user usable, like the PHP FirewallScript.

But you are right, it does not make sense if your script is supposed to work for your visitors and they supply an invalid hostname :P

Moreover, we cannot forget that it is easy to modify those $_SERVER['SERVER_NAME'] variables. This is especially true with those open source HTTPDs.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Lock Script to Domain

Post by Benjamin »

I wrote a script years ago and have detected numerous guys trying to defeat the copyright protection. One guy worked on it every day for about a month. They all gave up in the end. There's a lot you can do to make it a nightmare for someone. When it gets to the point where it would be easier to rewrite the entire application than crack it, I think that takes the fun out of it.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Lock Script to Domain

Post by Apollo »

astions wrote:They all gave up in the end.
You sure? Isn't it possible he actually succeeded, and stopped the script from further notifying you? ;)

Seriously, what kind of protections did you apply?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Lock Script to Domain

Post by kaisellgren »

If it would be practically possible to crack into Bill Gate's PayPal account, I wonder how many would just give up. :P

This kind of feature is a psychological protection or so-called PP. It could help in some cases, but should be only applied after you have applied a proper defense.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Lock Script to Domain

Post by Benjamin »

Tons of stuff. The entire applications code is in a single encoded file. RC4 Encryption, Digital signatures, the MD5 for every file is stored internally. Numerous other methods. Even if someone were to crack it, there's also remote kill.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Lock Script to Domain

Post by Mordred »

All copy protections based on http headers or server vhost names can be bypassed. If not trivially with the include method I've shown, then by installing it in a server that is an exact duplicate of the original (including vhosts etc.) and placing a reverse proxy between the server and the clients. The proxy will "translate" requests to stolen.com rewriting the relevant headers to original.com. The clients will see stolen.com working, and the server behind the proxy will think it's original.com.
Calling-home can also be disabled with a firewall.

astions, I'm very interested in your protection scheme, how will it behave in the described circumstances?
Post Reply