re Prevent loading of php pages

Jerry posed some good ideas, a while back, on website a security issue
that comes up often. Gary Jones was asking how to keep users from
directly accessing php pages, out of sequence.

Jerry posed a directory management solution. No one seems to have
mentioned an alternative. Maybe there is a reason?

We took a different approach, noting that the only way we wanted a
user to enter some phps would be through a predefined series of steps
like that posed by Gary Jones. Header information (http_referer, or
maybe another) is a path check.

If a client request hits, say, step_4-something.php without going
through steps 1, 2, & 3, the php takes suitable action, maybe posting
an error message.

Jerry's directory-solution is sound, but maybe we want to prohibit
someone from going straight to

www.somewebsitecom/nonrootdirectory/step2.php.

This approach seems to work, but can a clever web-crawler or
programmer get past it?

Thoughts?

Phil

>>Newsgroups: comp.lang.php
From: "Garry Jones" <garry.jo...@morack.se>
Date: Wed, 26 Apr 2006 23:53:13 +0200
Local: Wed, Apr 26 2006 3:53 pm
Subject: Prevent loading of php pages

>>I have a website consisting of php segments.

>>Example

>>page1.html calls in code from seg1.php and seg2.php

>>If the user goes directly to www.mydomain.com/seg1.php they see everything
visible to a browser on that page. Can I prevent users from loading individual
php segments.

>>The only time that seg1.php should be visible is in its original context on
page1.html

>>Garry Jones
Sweden

>Jerry Stuckle wrote:

>The document root id the root directory of your website. But it is not the root
directory of your machine. For instance, your document root might be
"/var/www/website1/html".

>When you upload them, put them in a directory below the root of your website,
i.e. "/var/www/website1/myfiles". You can then include this page in your
other PHP pages with something like (assuming Apache):

> include($_SERVER['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');

>Anyone accessing a page through http protocol can only access those files in
your web root. But PHP accesses the file system directly, so it can access any
file on the system (assuming the appropriate permissions are set).

>==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================

Phil wrote:

Jerry posed some good ideas, a while back, on website a security issue
that comes up often. Gary Jones was asking how to keep users from
directly accessing php pages, out of sequence.

Jerry posed a directory management solution. No one seems to have
mentioned an alternative. Maybe there is a reason?

We took a different approach, noting that the only way we wanted a
user to enter some phps would be through a predefined series of steps
like that posed by Gary Jones. Header information (http_referer, or
maybe another) is a path check.

If a client request hits, say, step_4-something.php without going
through steps 1, 2, & 3, the php takes suitable action, maybe posting
an error message.

Jerry's directory-solution is sound, but maybe we want to prohibit
someone from going straight to

www.somewebsitecom/nonrootdirectory/step2.php.

This approach seems to work, but can a clever web-crawler or
programmer get past it?

Thoughts?

Phil

>Newsgroups: comp.lang.php
From: "Garry Jones" <garry.jo...@morack.se>
Date: Wed, 26 Apr 2006 23:53:13 +0200
Local: Wed, Apr 26 2006 3:53 pm
Subject: Prevent loading of php pages

>I have a website consisting of php segments.

>Example

>page1.html calls in code from seg1.php and seg2.php

>If the user goes directly towww.mydomain.com/seg1.phpthey see everything
visible to a browser on that page. Can I prevent users from loading individual
php segments.

>The only time that seg1.php should be visible is in its original context on
page1.html

>Garry Jones
Sweden

Jerry Stuckle wrote:

The document root id the root directory of your website. But it is not the root
directory of your machine. For instance, your document root might be
"/var/www/website1/html".

When you upload them, put them in a directory below the root of your website,
i.e. "/var/www/website1/myfiles". You can then include this page in your
other PHP pages with something like (assuming Apache):

include($_SERVER['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');

Anyone accessing a page through http protocol can only access those files in
your web root. But PHP accesses the file system directly, so it can access any
file on the system (assuming the appropriate permissions are set).

==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================

http_referer is not reliable. The browser is not required to send it, a
firewall may strip it, or it can easily be faked.

My suggestion just protected pages from being loaded directly; it really
doesn't address your issue.

I think the best way to handle your sequence might be to keep track of
the last page (or pages) visited in the session variable. Not much more
work, and much more accurate.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================- Hide quoted text -

- Show quoted text -

On Jun 1, 5:17 am, Jerry Stuckle <jstuck...@attglobal.netwrote:

>Phil wrote:

>>Jerry posed some good ideas, a while back, on website a security issue
that comes up often. Gary Jones was asking how to keep users from
directly accessing php pages, out of sequence.
Jerry posed a directory management solution. No one seems to have
mentioned an alternative. Maybe there is a reason?
We took a different approach, noting that the only way we wanted a
user to enter some phps would be through a predefined series of steps
like that posed by Gary Jones. Header information (http_referer, or
maybe another) is a path check.
If a client request hits, say, step_4-something.php without going
through steps 1, 2, & 3, the php takes suitable action, maybe posting
an error message.
Jerry's directory-solution is sound, but maybe we want to prohibit
someone from going straight to
www.somewebsitecom/nonrootdirectory/step2.php.
This approach seems to work, but can a clever web-crawler or
programmer get past it?
Thoughts?
Phil
Newsgroups: comp.lang.php
From: "Garry Jones" <garry.jo...@morack.se>
Date: Wed, 26 Apr 2006 23:53:13 +0200
Local: Wed, Apr 26 2006 3:53 pm
Subject: Prevent loading of php pages
I have a website consisting of php segments.
Example
page1.html calls in code from seg1.php and seg2.php
If the user goes directly towww.mydomain.com/seg1.phpthey see everything
visible to a browser on that page. Can I prevent users from loading individual
php segments.
The only time that seg1.php should be visible is in its original context on
page1.html
Garry Jones
Sweden
Jerry Stuckle wrote:
The document root id the root directory of your website. But it is not the root
directory of your machine. For instance, your document root might be
"/var/www/website1/html".
When you upload them, put them in a directory below the root of your website,
i.e. "/var/www/website1/myfiles". You can then include this page in your
other PHP pages with something like (assuming Apache):
include($_SERVER['DOCUMENT_ROOT'] . '/../myfiles/my.inc.php');
Anyone accessing a page through http protocol can only access those files in
your web root. But PHP accesses the file system directly, so it can access any
file on the system (assuming the appropriate permissions are set).
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================

http_referer is not reliable. The browser is not required to send it, a
firewall may strip it, or it can easily be faked.

My suggestion just protected pages from being loaded directly; it really
doesn't address your issue.

I think the best way to handle your sequence might be to keep track of
the last page (or pages) visited in the session variable. Not much more
work, and much more accurate.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================- Hide quoted text -

- Show quoted text -

Jerry:

Even better. Thank you.

Phil
P.s. Does $_SERVER["HTTP_REFERER"] get stripped or can it be faked?