?
Solved

No access through URL

Posted on 2003-04-01
17
Medium Priority
?
275 Views
Last Modified: 2006-11-17
Greetings,
Is there any way that I can prevent access to the secure part of my site through the URL?  I only want the user to be able to navigate the site by way of the interface, without being able to type in the URL.... any ideas?
0
Comment
Question by:duerra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 4
17 Comments
 
LVL 4

Expert Comment

by:girish_nair
ID: 8247117
As you are saying your site is secure, then why do you worry of anyone peeking through the url?
You can set some distracting message for people who are not authenticated. So they don't know what lies underneath.

And what interface are you talking about? I assume it is the browser, so a user has right to type whatever he wishes into his address bar. It is on the server which you can decide whom to show things or not depending on permissions.

I don't think this is an answer to a 250pts problem. Please clarify some more things like how you maintain the secure part etc . etc .

:)
Girish
0
 
LVL 4

Author Comment

by:duerra
ID: 8247200
Alright, sorry I didn't give a better explanation... here we go:

Users on my site log in.  This is their authentication.  From there they have access to different functions throughout the site.  However, some of these functions are restricted, and while I have accounted for these restrictions, I would still feel a lot safer knowing that a user wasn't injecting into the URL variables and values.  I've done what I can to account for all scenarios that I can think of in my mind, but I'm still afraid that somebody will be able to figure a way around some of my security precautions.

My biggest risk comes from, as I stated before, injection of variables and values into the URL.  I've spent the past few days going through everything I can think of to stop any occurance of this, but I would still feel safer knowing that a user MUST navigate the site to be properly authenticated, and NOT typing it in via the URL.  

Now... I'm sure this can be done, as directly linking to resources on another server (like a picture or something) is often stopped by the host server, and that sort of thing.  I've also seen an online game where you weren't allowed to navigate to each individual script via the URL, and you had to do it through the game interface.  However, this site was framed, so I'm not sure the details there of how it worked.

Anyway, I hope this helps clarify.

Peace
0
 
LVL 4

Author Comment

by:duerra
ID: 8247226
Also note that these values I'm referring to are submitted via a from when done PROPERLY.  However, I've been able to sucessfully hack myself without going through the form.  I've dedicated quite a bit of time now ironing any flaws out, but I'd like to be able to force a user to use a form, rather than directly through the URL.  Also note that these HTML form values are NOT submitted via the URL normally.
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 4

Expert Comment

by:girish_nair
ID: 8247277
Frames are not that good.

But do you know what yahoo and other sites are doing?
They print some characters on an image and ask you to type it into a text box so, you can check in the next page if it is correct , then parse the remaining content!

I hered that there is some functions in php which allows this thing. If anyone knows then please tell how to do it.

Else I will tell you tommorrow!

Till then Enjoy!
0
 
LVL 4

Author Comment

by:duerra
ID: 8247317
Actually, I'm already doing that for many other functions in the site.  What I'm doing now is actually related to forums and special permissions.  I don't want to ask a user to type in a security code every time they make a post =)
0
 
LVL 4

Expert Comment

by:girish_nair
ID: 8247361
Hey,

then why don;t you use the register_globals = Off
and use $_POST[variable] OR $HTTP_POST_VARS[variable] instead of doing $variable

that way any one passing content through the url will not getinto your processing.

:)
0
 
LVL 4

Author Comment

by:duerra
ID: 8247414
I've thought about going that, too.  Unfortuantely, it would be a MAJOR inconvenience to go through my thousands of lines of script right now and change all my registered variables to accommodate for that.  

Now, I know that's not an excuse and it makes me sound really lazy, but if there IS another way around it, that'd be great.  I'm not lazy, it's just that I would much rather worry about other things than accessing all my global variables via $_POST[].  If not, we'll see what happens.  Either way, it's bed time, so I'll be back in a few hours.  

Thanks for the quick replies ;)

Peace
0
 
LVL 4

Expert Comment

by:girish_nair
ID: 8247488
::-))

You can use these $HTTP_POST_VARS thing in the scripts which you feel is under immediate threat, then slowly you can migrate the entire things into that way.

Any way choice is yours!

Cheers!
Girish
0
 
LVL 7

Accepted Solution

by:
Big_Red_Dog earned 1000 total points
ID: 8254336
Here is what I recommend:

1) You should use $_POST.  Conversion may not be a difficult as you think.  While this is not the prefered method, you can simply assign your old variable names to the $_POST variable names in front of your script.  So the first thing you do on the page is something like this:

$part_number = $_POST['part_number'];
$quantity = $_['quantity'];

Now turn register globals off, and you are converted and more secure.

2) In addition to doing this, you should always check the referer to make sure it is your domain.  This way you can stop someone who is really smart from getting around even this level of protection.  Fail if it is not your domain (I send a 404 or 500 error using PHP's header() function).

3) If you are using the data in an SQL statement for a database, you MUST also prevent SQL Injection.  There are many things you can do to prevent this.  The two best things to do are to a) use addslashes() if magicquotes are not turned on and the field is a string and b) Always, always, always, confirm the type of the data passed in to you for all non-string data!  So if you expect an integer, check that the data is an integer, and do this on the server.  Don't trust that your nifty javascript to check input will be used before getting to the server.

4) Turn off indexing in your .htaccess file so someone can't look at your unportected files just in case you forgot to protext an important file

5) Protect all PHP and other server-side scripts in a directory that can not be read from the web.  I always have a simple php page as my index file that includes the protected php file that contains my application.  That way you prevent another smart person from reading your files and getting insight into how they may further inject bad things.

6) This may be controversial, but I use my .htaccess file to make all 403 (forbidden access) errors looke like 404 (file not found) errors.  My reasoning is that if someone gets a 403, they know that the file or directory they are looking for exists and are more likely to try other means to get that file or directory whereby when they get a 404, they assume you don't have such a file.

7) While this one is not to help prevent query_string or SQL injection, don't foget to protect your client-side files (javascript, images, etc.) from bandwidth stealing in you .htaccess as well.
0
 
LVL 4

Author Comment

by:duerra
ID: 8254416
Wonderful!  Thank you for the great tips!  Based on what you posted, I'd like to request just a little more help =)

Can you instruct me on how to do option numbers 2 and 7?  

Then just a little bit more questioning here...

In reference to #5, how could somebody read a PHP script from the web if it's server-side only??  I don't quite understand that.  Quite a bit of my functions are done in the script itself (which have to be in the web tree, I would think???)

And in response to #6, I'm doing something similar to that as well.  I personally think it's a good way to get rid of the stupid hackers (won't stop the smart ones much).  And just out of curiosity... how are 403 errors set???

In case you need to know, I'm on apache 2.xx (don't remember what), and php 4.3.1

Thanks again for the great tips!
0
 
LVL 7

Expert Comment

by:Big_Red_Dog
ID: 8254451
Some important exceprts from my .htaccess file to illustrate my points (change 'yourdomain.com' to your domain:

# Use .htm and .html extensions on public PHP scripts so
# mailcious users don't know you are using PHP
AddType application/x-httpd-php .html .htm

# Always have an error document.  If you don't, your host
# may provide information about where you are hosted that
# may help them get into your site (yes, they can go to
# other public databases to get this, but why give them
# easy access to this information)
#
#Also make 403 errors look like 404 errors.
ErrorDocument 403 http://www.yourdomain.com/404Page.htm
ErrorDocument 404 http://www.yourdomain.com/404Page.htm

# Don't let them look at yout .htaccess file or they'll
# know some of your secrets
<Files *.htaccess>
  order deny,allow
  deny from all
  allow from yourdomain.com
</Files>

# Turn off indexing so they can look at your directory
# structure or file names
Options -Indexes

# This whole next section prevents other sites from
# stealing bandwidth.  Without this, a site can use a
# hyperlink from their site to yours to use a graphic or
# script or other client-side file.  Edit to suit your
# needs.
SetEnvIfNoCase Referer "^http://www.yourdomain.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://yourdomain.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.yourdomain.com" locally_linked=1
SetEnvIfNoCase Referer "^http://yourdomain.com" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g|js)$">
  Order Allow,Deny
  Allow from env=locally_linked
</FilesMatch>

# These lines stop some other malicious viruses by
# preventing atackers from seeing important information
# they need about your site.  Most of the above covers
# some of these, but it is always better to be safe than
# sorry.  This needs to be constantly updated to
# work properly.  You can redirrect to the 404 page if
# you so desire, I just send them to non-existent land.
redirect /scripts http://www.stoptheviruscold.invalid
redirect /MSADC http://www.stoptheviruscold.invalid
redirect /c http://www.stoptheviruscold.invalid
redirect /d http://www.stoptheviruscold.invalid
redirect /_mem_bin http://stoptheviruscold.invalid
redirect /msadc http://stoptheviruscold.invalid
RedirectMatch (.*)\cmd.exe$ http://stoptheviruscold.invalid$1

0
 
LVL 4

Author Comment

by:duerra
ID: 8254519
Awesome!

Last little things before I award you your points...

First, this stuff:
SetEnvIfNoCase Referer "^http://www.yourdomain.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://yourdomain.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.yourdomain.com" locally_linked=1
SetEnvIfNoCase Referer "^http://yourdomain.com" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g|js)$">
 Order Allow,Deny
 Allow from env=locally_linked
</FilesMatch>

Can I do this, except for, say, one or two directories of my choosing?  I would want to allow one or two directories public access, since I often link to graphics hosted on my server in signatures for forums and stuff.

Then finally, any last security tips?  The points are yours anyway, I was just wondering if you had any other nifty pointers for me to secure myself with.  Thanks a fortune!
0
 
LVL 7

Expert Comment

by:Big_Red_Dog
ID: 8254647
Sure...

#2:
(Of course add or remove URLs as needed and replace with your domains and your IP address or addresses if you have more than one that will use the script)

$referer = $_SERVER['HTTP_REFERER'];
$goodurl="http://yourdomain.com";
$goodurl2="http://yourdomain.org";
$goodurl3="http://192.168.168.255";
if (substr("$referer",0,strlen($goodurl))==$goodurl OR
substr("$referer",0,strlen($goodurl2))==$goodurl2 OR
substr("$referer",0,strlen($goodurl3))==$goodurl3) {
    // Do your work here, it is a good referer
} else {
    header("HTTP/1.0 404 Not Found");
}

#7: See my post with the .htaccess file

#5: If you have not protected your PHP script, a malicious user can construct a request to download your PHP file without it going through the PHP processor, in much the same way you can download an image on the web.  It takes a little more effort than getting an image, but it is quite easy once you know the name of a file.  If you have indexing turned on, then it is very easy to see your unprotected script names to later download.

#6: I am not sure what you mean by "how are 403 errors set", but there are two ways I can answer this.  If you meant how is one generated, then, for example, if you have an .htaccess file with just the section the prevents a user from seeing a .htaccess file or just the line to prevent indexing, a user who happens to try to look at these files will get a 403 error if the file exists on your server, but they are not permitted to see it.  Of course, if the file does not exist on your server, then they will always get a 404.

If you meant how do I set a 403 to be a 404, see my previous post with parts of my .htaccess file.

If you meant something else, please let me know and I will respond.
0
 
LVL 4

Author Comment

by:duerra
ID: 8254696
LoL... I think our synching is a bit off =)

Everything's answered, 'cept for the one little thing... allowing a certain directory to be accessed by any other server.

For example, I have an image on my server at:
http://mydomain.com/public/image.jpg

And I want that to be accessible from anywhere.  I see in your wonderful explanation how to stop this from occuring throughout the whole server.  Do you know how I stop it everywhere, except in this case, the /public directory?

Thanks!!!
0
 
LVL 7

Expert Comment

by:Big_Red_Dog
ID: 8254704
Yes, you can do it for specific directories.  The hard way is to put a different .htaccess file in each directory with the rules for that directory.  It is hard because you then need to always update every instance of the file when you add new protections or rules that apply globally.

The easier way is to use <DIRECTORY> and <LOCATION> within the global .htaccess file.  It is esasier to give you a reference than to try to explain it.  See this: http://httpd.apache.org/docs/sections.html and other parts of the Apache documentation.

0
 
LVL 4

Author Comment

by:duerra
ID: 8254740
Awesome!  Thanks a bunch.  Hopefully everything will be 10x better now =)
0
 
LVL 7

Expert Comment

by:Big_Red_Dog
ID: 8254830
One more point for #5, just to make it clear, you need to create a directory with file protection like rwx------ or if PHP needs group access, rwxr-x--- and put your script files in there.  That way a simple HTTP request can not get the files.  Since the files are only accessed by the server, there is absolutely no reason to make the accessible to the world.  In fact, make sure the files themselves have protections like rw------- or rw-r----- as an added level of protection.

Nothing is foolproof, ever, but with these protections, you will thwart off most casual and mid-level hackers.  It is kind of like putting one of those "Club" devices on your car.  You deter most, but not the criminal with a flatbed truck.  :-)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
This article discusses how to implement server side field validation and display customized error messages to the client.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question