Newbie question - Hide a file
Newbie question - Hide a file
am 27.01.2008 23:17:15 von Mathieu Chavoutier
I plan to have a client-side application (not a browser) pass an encrypted
user name and password to a php file for validation, which will return an
xml string if the user is validated.
Obviously I don't want Apache to serve up that php file to any browser or
other app that asks for it. How do I prevent that from happening?
Alternatively, is there a better method to accomplish what I'm trying to do?
Re: Newbie question - Hide a file
am 28.01.2008 19:13:37 von Kees Nuyt
On Sun, 27 Jan 2008 14:17:15 -0800, "Paul Pedersen"
wrote:
> I plan to have a client-side application (not a browser) pass an encrypted
> user name and password to a php file for validation, which will return an
> xml string if the user is validated.
>
> Obviously I don't want Apache to serve up that php file to any browser or
> other app that asks for it. How do I prevent that from happening?
First off all, apache doesn't "serve up" .php if you
configure it to run the script. It just runs the php
script and the script decides what the response should be.
You can't prevent a browser or other app to try to do the
same as your app. It's apache, so your app will send a
request like:
GET /validate.php?u=encrypteduid&p=encryptedpsw HTTP/1.1
or
POST /validate.php HTTP/1.1
with the encrypted userID/password in the request header.
Any socket capable program can imitate that.
if the request is well-formed you can't prevent Apache
from triggering the .php script, regardless the client
which composed it.
Just a few possibilities:
1) You can obfuscate by using an uncommon port (not 80 or
8080).
2) You can obfuscate by sending an uncommon query string
GET /validate.php?somestring_with_encrypted_uid_and_psw
3) You can obfuscate by leaving out the .php extension and
using the trick in
http://richardlynch.blogspot.com/2006/06/php-downloads-conte nt-disposition.html
4) Your php script can refuse to answer invalid requests,
either by sending nothing or sending a 403 response and
disconnecting.
4) Require a valid client certificate.
6) A combination of 1) thru 5)
7) Of course your encryption is perfect and your script
will only send the .xml file if the userID and password
are correct, so what do you worry about?
> Alternatively, is there a better method to accomplish
> what I'm trying to do?
It will have been done before, but I don't know any
examples.
HTH
--
( Kees
)
c[_] Se cio` che dici non offende nessuno, vuol
dire che non hai detto nulla. (Oscar Wilde) (#94)
Re: Newbie question - Hide a file
am 28.01.2008 23:14:23 von Mathieu Chavoutier
Thanks for your responses. All good suggestions.
But I don't think my original question got answered.
> First off all, apache doesn't "serve up" .php if you
> configure it to run the script.
Perhaps that's what I was asking for. How?
> You can't prevent a browser or other app to try to do the
> same as your app.
I don't mind that. If the request doesn't validate, nothing significant will
be returned.
What I'm concerned about is someone being able to read the php file itself.
What's to prevent someone from, for instance, using something like
URLDownloadToFile to retrieve the file:
"http://www.mysite.com/loginvalidation.php"?
Re: Newbie question - Hide a file
am 28.01.2008 23:33:08 von William Colls
Paul Pedersen wrote:
> Thanks for your responses. All good suggestions.
>
> But I don't think my original question got answered.
>
>
>
>> First off all, apache doesn't "serve up" .php if you
>> configure it to run the script.
>
> Perhaps that's what I was asking for. How?
>
>
>
>> You can't prevent a browser or other app to try to do the
>> same as your app.
>
> I don't mind that. If the request doesn't validate, nothing significant will
> be returned.
>
> What I'm concerned about is someone being able to read the php file itself.
>
> What's to prevent someone from, for instance, using something like
> URLDownloadToFile to retrieve the file:
> "http://www.mysite.com/loginvalidation.php"?
>
php executes on the server side, and is never visible to the client. All
that is visible to the client is whatever the php file returns when it
executes.
Except if course if your security has been breached, and an intruder is
hacking your site.
Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com
Re: Newbie question - Hide a file
am 29.01.2008 00:19:36 von Jim Hayter
Paul Pedersen wrote:
> Thanks for your responses. All good suggestions.
>
> But I don't think my original question got answered.
>
>
>
>> First off all, apache doesn't "serve up" .php if you
>> configure it to run the script.
>
> Perhaps that's what I was asking for. How?
>
>
>
>> You can't prevent a browser or other app to try to do the
>> same as your app.
>
> I don't mind that. If the request doesn't validate, nothing significant will
> be returned.
>
> What I'm concerned about is someone being able to read the php file itself.
>
> What's to prevent someone from, for instance, using something like
> URLDownloadToFile to retrieve the file:
> "http://www.mysite.com/loginvalidation.php"?
>
You put your scripts in a directory that is outside of your DocumentRoot
and use a scriptalias directive. You should never put scripts under
your DocumentRoot.
Jim
Re: Newbie question - Hide a file
am 29.01.2008 18:11:54 von Mathieu Chavoutier
"William Colls" wrote in message
news:479E5824.2080602@procomsys.com...
>> What's to prevent someone from, for instance, using something like
>> URLDownloadToFile to retrieve the file:
>> "http://www.mysite.com/loginvalidation.php"?
>>
> php executes on the server side, and is never visible to the client. All
> that is visible to the client is whatever the php file returns when it
> executes.
>
I have used exactly that method to retrieve php files from some sites.
Re: Newbie question - Hide a file
am 29.01.2008 18:14:35 von Mathieu Chavoutier
"Jim Hayter" wrote in message
news:13psoo8lc427cc0@news.supernews.com...
>> What's to prevent someone from, for instance, using something like
>> URLDownloadToFile to retrieve the file:
>> "http://www.mysite.com/loginvalidation.php"?
>>
>
> You put your scripts in a directory that is outside of your DocumentRoot
> and use a scriptalias directive. You should never put scripts under your
> DocumentRoot.
>
> Jim
Now that's starting to make sense. Thanks.
But how do I do that?
Especially if my web site is hosted on a shared server somewhere in
cyberspace, how do I put files "outside DocumentRoot"?
Re: Newbie question - Hide a file
am 30.01.2008 22:23:12 von Mathieu Chavoutier
"Paul Pedersen" wrote in message
news:PMmdnb5lgLdrwwLanZ2dnUVZ_uevnZ2d@comcast.com...
>
> "Jim Hayter" wrote in message
> news:13psoo8lc427cc0@news.supernews.com...
>
>>> What's to prevent someone from, for instance, using something like
>>> URLDownloadToFile to retrieve the file:
>>> "http://www.mysite.com/loginvalidation.php"?
>>>
>>
>> You put your scripts in a directory that is outside of your DocumentRoot
>> and use a scriptalias directive. You should never put scripts under your
>> DocumentRoot.
>>
>> Jim
>
> Now that's starting to make sense. Thanks.
>
> But how do I do that?
>
> Especially if my web site is hosted on a shared server somewhere in
> cyberspace, how do I put files "outside DocumentRoot"?
I found the answer, for anyone else who has this problem. Sign in to your
hosting account and find a a place that will allow you to set file and
folder permissions.
I still haven't found how to do that on the Apache server on my local
machine, but I'm sure there's a way.