 |
|
|
|
Next: Google Stomps on Domain Tasters
|
| Author |
Message |
External
Since: Jan 10, 2008
Posts: 15
|
(Msg. 1) Posted: Sun Jan 27, 2008 2:17 pm
Post subject: Newbie question - Hide a file
Archived from groups: alt>apache>configuration (more info?)
|
|
|
I plan to have a client-side application (not a browser) pass an encrypted
user name and password to a php file for validation, which will return an
xml string if the user is validated.
Obviously I don't want Apache to serve up that php file to any browser or
other app that asks for it. How do I prevent that from happening?
Alternatively, is there a better method to accomplish what I'm trying to do? |
|
| Back to top |
|
 | |
External
Since: Oct 25, 2006
Posts: 78
|
(Msg. 2) Posted: Mon Jan 28, 2008 2:04 pm
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Sun, 27 Jan 2008 14:17:15 -0800, "Paul Pedersen"
<nospam RemoveThis @no.spam> wrote:
> I plan to have a client-side application (not a browser) pass an encrypted
> user name and password to a php file for validation, which will return an
> xml string if the user is validated.
>
> Obviously I don't want Apache to serve up that php file to any browser or
> other app that asks for it. How do I prevent that from happening?
First off all, apache doesn't "serve up" .php if you
configure it to run the script. It just runs the php
script and the script decides what the response should be.
You can't prevent a browser or other app to try to do the
same as your app. It's apache, so your app will send a
request like:
GET /validate.php?u=encrypteduid&p=encryptedpsw HTTP/1.1
or
POST /validate.php HTTP/1.1
with the encrypted userID/password in the request header.
Any socket capable program can imitate that.
if the request is well-formed you can't prevent Apache
from triggering the .php script, regardless the client
which composed it.
Just a few possibilities:
1) You can obfuscate by using an uncommon port (not 80 or
8080).
2) You can obfuscate by sending an uncommon query string
GET /validate.php?somestring_with_encrypted_uid_and_psw
3) You can obfuscate by leaving out the .php extension and
using the trick in
http://richardlynch.blogspot.com/2006/06/php-downloads-content-disposition.html
4) Your php script can refuse to answer invalid requests,
either by sending nothing or sending a 403 response and
disconnecting.
4) Require a valid client certificate.
6) A combination of 1) thru 5)
7) Of course your encryption is perfect and your script
will only send the .xml file if the userID and password
are correct, so what do you worry about?
> Alternatively, is there a better method to accomplish
> what I'm trying to do?
It will have been done before, but I don't know any
examples.
HTH
--
( Kees
)
c[_] Se cio` che dici non offende nessuno, vuol
dire che non hai detto nulla. (Oscar Wilde) (#94) |
|
| Back to top |
|
| |
External
Since: Jan 10, 2008
Posts: 15
|
(Msg. 3) Posted: Mon Jan 28, 2008 2:14 pm
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Thanks for your responses. All good suggestions.
But I don't think my original question got answered.
> First off all, apache doesn't "serve up" .php if you
> configure it to run the script.
Perhaps that's what I was asking for. How?
> You can't prevent a browser or other app to try to do the
> same as your app.
I don't mind that. If the request doesn't validate, nothing significant will
be returned.
What I'm concerned about is someone being able to read the php file itself.
What's to prevent someone from, for instance, using something like
URLDownloadToFile to retrieve the file:
"http://www.mysite.com/loginvalidation.php"? >> Stay informed about: Newbie question - Hide a file |
|
| Back to top |
|
| |
External
Since: Feb 07, 2005
Posts: 98
|
(Msg. 4) Posted: Mon Jan 28, 2008 6:19 pm
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Paul Pedersen wrote:
> Thanks for your responses. All good suggestions.
>
> But I don't think my original question got answered.
>
>
>
>> First off all, apache doesn't "serve up" .php if you
>> configure it to run the script.
>
> Perhaps that's what I was asking for. How?
>
>
>
>> You can't prevent a browser or other app to try to do the
>> same as your app.
>
> I don't mind that. If the request doesn't validate, nothing significant will
> be returned.
>
> What I'm concerned about is someone being able to read the php file itself.
>
> What's to prevent someone from, for instance, using something like
> URLDownloadToFile to retrieve the file:
> "http://www.mysite.com/loginvalidation.php"?
>
You put your scripts in a directory that is outside of your DocumentRoot
and use a scriptalias directive. You should never put scripts under
your DocumentRoot.
Jim >> Stay informed about: Newbie question - Hide a file |
|
| Back to top |
|
| |
External
Since: Jan 10, 2008
Posts: 15
|
(Msg. 5) Posted: Tue Jan 29, 2008 9:11 am
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"William Colls" <william DeleteThis @procomsys.com> wrote in message
news:479E5824.2080602@procomsys.com...
>> What's to prevent someone from, for instance, using something like
>> URLDownloadToFile to retrieve the file:
>> "http://www.mysite.com/loginvalidation.php"?
>>
> php executes on the server side, and is never visible to the client. All
> that is visible to the client is whatever the php file returns when it
> executes.
>
I have used exactly that method to retrieve php files from some sites. >> Stay informed about: Newbie question - Hide a file |
|
| Back to top |
|
| |
External
Since: Jan 10, 2008
Posts: 15
|
(Msg. 6) Posted: Tue Jan 29, 2008 9:14 am
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Jim Hayter" <see.reply.to DeleteThis @nowhere.invalid> wrote in message
news:13psoo8lc427cc0@news.supernews.com...
>> What's to prevent someone from, for instance, using something like
>> URLDownloadToFile to retrieve the file:
>> "http://www.mysite.com/loginvalidation.php"?
>>
>
> You put your scripts in a directory that is outside of your DocumentRoot
> and use a scriptalias directive. You should never put scripts under your
> DocumentRoot.
>
> Jim
Now that's starting to make sense. Thanks.
But how do I do that?
Especially if my web site is hosted on a shared server somewhere in
cyberspace, how do I put files "outside DocumentRoot"? >> Stay informed about: Newbie question - Hide a file |
|
| Back to top |
|
| |
External
Since: Jan 10, 2008
Posts: 15
|
(Msg. 7) Posted: Wed Jan 30, 2008 1:23 pm
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Paul Pedersen" <nospam RemoveThis @no.spam> wrote in message
news:PMmdnb5lgLdrwwLanZ2dnUVZ_uevnZ2d@comcast.com...
>
> "Jim Hayter" <see.reply.to RemoveThis @nowhere.invalid> wrote in message
> news:13psoo8lc427cc0@news.supernews.com...
>
>>> What's to prevent someone from, for instance, using something like
>>> URLDownloadToFile to retrieve the file:
>>> "http://www.mysite.com/loginvalidation.php"?
>>>
>>
>> You put your scripts in a directory that is outside of your DocumentRoot
>> and use a scriptalias directive. You should never put scripts under your
>> DocumentRoot.
>>
>> Jim
>
> Now that's starting to make sense. Thanks.
>
> But how do I do that?
>
> Especially if my web site is hosted on a shared server somewhere in
> cyberspace, how do I put files "outside DocumentRoot"?
I found the answer, for anyone else who has this problem. Sign in to your
hosting account and find a a place that will allow you to set file and
folder permissions.
I still haven't found how to do that on the Apache server on my local
machine, but I'm sure there's a way. >> Stay informed about: Newbie question - Hide a file |
|
| Back to top |
|
| |
External
Since: Feb 04, 2008
Posts: 3
|
(Msg. 8) Posted: Mon Feb 04, 2008 9:07 am
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Paul Pedersen wrote:
<snip>
>> But how do I do that?
>>
>> Especially if my web site is hosted on a shared server somewhere in
>> cyberspace, how do I put files "outside DocumentRoot"?
>
>
> I found the answer, for anyone else who has this problem. Sign in to your
> hosting account and find a a place that will allow you to set file and
> folder permissions.
>
> I still haven't found how to do that on the Apache server on my local
> machine, but I'm sure there's a way.
>
That is not placing files outside documentroot.
You are describing some system you havin't even mentioned.
Placinf file outside documentroot mean that you put them in a directory
that is simply not under your documentroot.
eg: If the documentroot for your webapp is:
/home/paul/public_html/
you place them for example here:
/home/paul/mydir/
Bottomline is nobody can type something like this:
http://www.example.com/~paul/secretfile
and access the file.
Regards,
Erwin Moller >> Stay informed about: Newbie question - Hide a file |
|
| Back to top |
|
| |
External
Since: Jan 10, 2008
Posts: 15
|
(Msg. 9) Posted: Mon Feb 04, 2008 12:36 pm
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Erwin Moller"
<Since_humans_read_this_I_am_spammed_too_much.DeleteThis@spamyourself.com> wrote in
message news:47a6ecac$0$85786$e4fe514c@news.xs4all.nl...
> Paul Pedersen wrote:
>
> <snip>
>
>>> But how do I do that?
>>>
>>> Especially if my web site is hosted on a shared server somewhere in
>>> cyberspace, how do I put files "outside DocumentRoot"?
>>
>>
>> I found the answer, for anyone else who has this problem. Sign in to your
>> hosting account and find a a place that will allow you to set file and
>> folder permissions.
>>
>> I still haven't found how to do that on the Apache server on my local
>> machine, but I'm sure there's a way.
>>
>
> That is not placing files outside documentroot.
> You are describing some system you havin't even mentioned.
> Placinf file outside documentroot mean that you put them in a directory
> that is simply not under your documentroot.
> eg: If the documentroot for your webapp is:
> /home/paul/public_html/
> you place them for example here:
> /home/paul/mydir/
>
> Bottomline is nobody can type something like this:
> http://www.example.com/~paul/secretfile
> and access the file.
Yes, that's what I meant.
Although I am running Apache locally for test and development purposes, that
is not where the site is hosted. It's hosted on a remote shared server
running Apache, and I don't think I have a way to put a directory "outside"
documentroot in that situation.
I know that's not strictly an Apache issue, but if you have an answer, I'd
be glad to hear it. >> Stay informed about: Newbie question - Hide a file |
|
| Back to top |
|
| |
External
Since: Dec 30, 2007
Posts: 5
|
(Msg. 10) Posted: Mon Feb 04, 2008 9:06 pm
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Paul Pedersen wrote:
> "Erwin Moller"
> <Since_humans_read_this_I_am_spammed_too_much.TakeThisOut@spamyourself.com> wrote in
> message news:47a6ecac$0$85786$e4fe514c@news.xs4all.nl...
>> Paul Pedersen wrote:
>>
>> <snip>
>>
>>>> But how do I do that?
>>>>
>>>> Especially if my web site is hosted on a shared server somewhere in
>>>> cyberspace, how do I put files "outside DocumentRoot"?
>>>
>>> I found the answer, for anyone else who has this problem. Sign in to your
>>> hosting account and find a a place that will allow you to set file and
>>> folder permissions.
>>>
>>> I still haven't found how to do that on the Apache server on my local
>>> machine, but I'm sure there's a way.
>>>
>> That is not placing files outside documentroot.
>> You are describing some system you havin't even mentioned.
>> Placinf file outside documentroot mean that you put them in a directory
>> that is simply not under your documentroot.
>> eg: If the documentroot for your webapp is:
>> /home/paul/public_html/
>> you place them for example here:
>> /home/paul/mydir/
>>
>> Bottomline is nobody can type something like this:
>> http://www.example.com/~paul/secretfile
>> and access the file.
>
>
> Yes, that's what I meant.
>
> Although I am running Apache locally for test and development purposes, that
> is not where the site is hosted. It's hosted on a remote shared server
> running Apache, and I don't think I have a way to put a directory "outside"
> documentroot in that situation.
>
> I know that's not strictly an Apache issue, but if you have an answer, I'd
> be glad to hear it.
>
That depends on the configuration at the webhost. I use one where I have
access via ftp & ssh to place files outside documentroot.
ftp & ssh into $HOME, documentroot is $HOME/public_html
--
Andy Ruddock
------------
andy_DOT_ruddock_AT_gmail_DOT_com (GPG Key ID 0x74F41E8F) >> Stay informed about: Newbie question - Hide a file |
|
| Back to top |
|
| |
External
Since: Jan 10, 2008
Posts: 15
|
(Msg. 11) Posted: Mon Feb 04, 2008 9:06 pm
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Andy Ruddock" <andy.ruddock+news@gmail.com> wrote in message
news:47a790de$1@proxy.mimer.no...
>>> Bottomline is nobody can type something like this:
>>> http://www.example.com/~paul/secretfile
>>> and access the file.
>>
>>
>> Yes, that's what I meant.
>>
>> Although I am running Apache locally for test and development purposes,
>> that
>> is not where the site is hosted. It's hosted on a remote shared server
>> running Apache, and I don't think I have a way to put a directory
>> "outside"
>> documentroot in that situation.
>>
>> I know that's not strictly an Apache issue, but if you have an answer,
>> I'd
>> be glad to hear it.
>>
>
> That depends on the configuration at the webhost. I use one where I have
> access via ftp & ssh to place files outside documentroot.
> ftp & ssh into $HOME, documentroot is $HOME/public_html
>
With mine, it "appears" that the main directory IS documentroot and I cannot
change it.
Instead, I can create directories within that, and prevent Apache from
making those accessible except by my own scripts.
Is that possibly the case, or am I misunderstanding something? If it
matters, I think they are using Apache 1.x. >> Stay informed about: Newbie question - Hide a file |
|
| Back to top |
|
| |
External
Since: Dec 30, 2007
Posts: 5
|
(Msg. 12) Posted: Tue Feb 05, 2008 12:04 pm
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Paul Pedersen wrote:
> "Andy Ruddock" <andy.ruddock+news@gmail.com> wrote in message
> news:47a790de$1@proxy.mimer.no...
>>>> Bottomline is nobody can type something like this:
>>>> http://www.example.com/~paul/secretfile
>>>> and access the file.
>>>
>>> Yes, that's what I meant.
>>>
>>> Although I am running Apache locally for test and development purposes,
>>> that
>>> is not where the site is hosted. It's hosted on a remote shared server
>>> running Apache, and I don't think I have a way to put a directory
>>> "outside"
>>> documentroot in that situation.
>>>
>>> I know that's not strictly an Apache issue, but if you have an answer,
>>> I'd
>>> be glad to hear it.
>>>
>> That depends on the configuration at the webhost. I use one where I have
>> access via ftp & ssh to place files outside documentroot.
>> ftp & ssh into $HOME, documentroot is $HOME/public_html
>>
>
> With mine, it "appears" that the main directory IS documentroot and I cannot
> change it.
> Instead, I can create directories within that, and prevent Apache from
> making those accessible except by my own scripts.
>
> Is that possibly the case, or am I misunderstanding something? If it
> matters, I think they are using Apache 1.x.
>
It's quite possible that your hoster has set up apache in this fashion,
in which case you'll probably have to use .htaccess to prevent the files
simply being delivered in response to a direct request via http.
Again, what you can achieve in this way is dependent upon the
configuration at your webhost.
--
Andy Ruddock
------------
andy_DOT_ruddock_AT_gmail_DOT_com (GPG Key ID 0x74F41E8F) >> Stay informed about: Newbie question - Hide a file |
|
| Back to top |
|
| |
External
Since: Jan 10, 2008
Posts: 15
|
(Msg. 13) Posted: Tue Feb 05, 2008 12:04 pm
Post subject: Re: Newbie question - Hide a file [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Andy Ruddock" <andy.ruddock+news@gmail.com> wrote in message
news:47a88a5e$1@proxy.mimer.no...
> It's quite possible that your hoster has set up apache in this fashion,
> in which case you'll probably have to use .htaccess to prevent the files
> simply being delivered in response to a direct request via http.
> Again, what you can achieve in this way is dependent upon the
> configuration at your webhost.
>
> --
> Andy Ruddock
> ------------
> andy_DOT_ruddock_AT_gmail_DOT_com (GPG Key ID 0x74F41E8F)
That's helpful information. Thanks! >> Stay informed about: Newbie question - Hide a file |
|
| Back to top |
|
| |
| Related Topics: | Newbie question is the .ear file sufficient by itself - Hi, Newbie to tomcat and web applications. I am trying to follow the tutorial at http://j2ee.masslight.com/Chapter4.html I did all the developement stuff in a tool called JDeveloper (IDE tool provided by ORACLE). I deployed it in a .ear file. Now i als...
Newbie question about file ownership & permissions - I am running Apache on SuSE Linux. The server runs as user "wwwrun", group "nogroup". I have a development and production environment using virtual hosts. I have RCS set up in the development environment. From there files are push...
how to hide the file and tree in use on server to the client - i want to know how to hide the file and tree in use on server to the client i use a isp witch name is FREE.FR. when a client comme onto a page, the browser can't see what page is in use. i want to reproduce this. thanks excuse me for my english :( ..
[Newbie] - Can't Get PHP file to run - Hi, All: I am running Apache HTTP Server on Windows XP. I downloaded a web application that is basically html pages and php files. The html file redirects to a php file but the php file won't run. Does Apache have a PHP plug-in that I have to downloa...
And yet another newbie with a question - I've got Redhat 9 and am trying to configure Apache 2.0, (rpm dist from Redhat). In my /var/www/mckenzie/conf I have a file httpd.conf with the following: User apache Group apache DocumentRoot "/var/www/mckenzie/htdocs" ServerRoot "/var/ww... |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Profile
Private Messages
Log in
