Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

File access problem

Cabbit

Cabbit

macrumors 68020
Original poster
Jan 30, 2006
2,128
1
Scotland
Hey i am running a site of apache and dispite my best efforts my friend can always tell me the password in http://absolutionguild.net/include/constants.php though i have banned access to it in a .htaccess file

// ht access file
<Files constants.php>
order allow,deny
deny from all
</Files>

Any sugestions of further protecting it.
 
Is the .htaccess file located at root or inside the include folder? Even if they have read access to the file, PHP should be executing the code, not displaying it as plain text. They may also still be viewing a cached version of the page. I couldn't view the page in question because my work place has it blocked (they have a lot of things blocked).
 
The link results in a 404 page not found. The include directory is not there either.

When it's denied the user sees a 403 forbidden error, not a 404 unless the global config of Apache has a rewrite rule added to fool people.

-jim
 
I have the .htaccess on the route and inside the directory. But somehow he is still able to open the file and tell me the password.
 
one solution i have thought of is to put the constants file before the publichtml folder

so it would be

/
/constants
constants.php
/public_html
index.php
/includes
database.php

The problem with this is that some pages are 2 folders deep so if i do
../../constants/constants.php it only works on the home page and not on other pages so i was thinking of something like include "".$_SERVER['DOCUMENT_ROOT']."/include/constants.php"; but i have no idea how to set that up to go before the document root.
 
Like so,
PHP: 
include $_SERVER['DOCUMENT_ROOT'].'../include/constants.php';
As far as the page "giving" you the password, can you elaborate? As I mentioned before, a PHP file should be executed and not shown as plain text, so even when they access the page directly, they shouldn't be able to see the code.
 
Somehow he is able to download the file and view the password without access to the ftp login, he is doing it via browser exploits only.
 
babyjenniferLB said:
Somehow he is able to download the file and view the password without access to the ftp login, he is doing it via browser exploits only.
Click to expand...

Do you have anonymous FTP turned on? That's pretty much the only way he'd be able to download the file that way unless he knows your account info.
 
I don't see any entries other than myself in the ftp log. Unless anonymous ftp is not logged.
 
babyjenniferLB said:
I don't see any entries other than myself in the ftp log. Unless anonymous ftp is not logged.
Click to expand...

Have you looked at your access logs as well to see if you can see when the file was downloaded? Though generally I don't think include files get listed.

I also came across a PHP exploit that could potentially be related that you can take a read through. Not completely sure how to detect if the exploit is occurring though.
 
Ok well i got the database constants in a file higher than the web directory. with luck that should make it much more secure.
 
he is telling me the password as soon as i set it but he is not telling me how he is getting hold of it.
 
Make sure the permissions on the file (on the server) are 644 to see if that's the cause. The only other way is if he has file access to your server or directory listing access where he can download the file. He is apparently getting the file BEFORE it's interpreted, so this advice is step one before looking at other causes, such as hacked FTP access, shell access, etc.

This infers "chmod 644"

-jim
 
ok well i will try this and change the ftp password and the database password again and see if he can get it this time
 
babyjenniferLB said:
ok well i will try this and change the ftp password and the database password again and see if he can get it this time
Click to expand...

Smart moves. Beyond that if it happens again refer to that link added previous with the exploits and check each out carefully. Or, you could simply plant a small nuclear device inside your "friends" computer triggered when that filename shows up via a keystroke logger and that would surely solve the problem.

Um, I'm kidding, for those who think we condone such things here on MacRumors. Well, we do, but you know what I mean!

-jim
 
PHP: 
  <?php
	echo '<p>Only .jpeg files are currently supported.</p>';
	 if(isset($_POST['Submit']))
 	 {
 	     $size = 150; // the thumbnail height
 	     $filedir = '../images/original/'; // the directory for the original image
 	     $thumbdir = '../images/avatars/'; // the directory for the thumbnail image
 	     $prefix = ''; // the prefix to be added to the original name
 	     $maxfile = '2000000';
 	     $mode = '0666';
 	     $userfile_name = $_FILES['image']['name'];
 	     $userfile_tmp = $_FILES['image']['tmp_name'];
 	     $userfile_size = $_FILES['image']['size'];
 	     $userfile_type = $_FILES['image']['type'];
 	     if (isset($_FILES['image']['name'])) 
 	     {
 	         $prod_img = $filedir.$userfile_name;
 	         $prod_img_thumb = $thumbdir.$prefix.$userfile_name;
 	         move_uploaded_file($userfile_tmp, $prod_img);
 	         chmod ($prod_img, octdec($mode));
 	         $sizes = getimagesize($prod_img);
 	         $aspect_ratio = $sizes[1]/$sizes[0]; 
 	         if ($sizes[1] <= $size)
 	         {
 	             $new_width = $sizes[0];
 	             $new_height = $sizes[1];
 	         }else{
 	             $new_height = $size;
 	             $new_width = abs($new_height/$aspect_ratio);
 	         }
 	         $destimg=ImageCreateTrueColor($new_width,$new_height)
 	             or die('Problem In Creating image');
 	         $srcimg=ImageCreateFromJPEG($prod_img)
 	             or die('Problem In opening Source Image');
 	         if(function_exists('imagecopyresampled'))
 	         {
 	             imagecopyresampled($destimg,$srcimg,0,0,0,0,$new_width,$new_height,ImageSX($srcimg),ImageSY($srcimg))
 	             or die('Problem In resizing');
 	         }else{
 	             Imagecopyresized($destimg,$srcimg,0,0,0,0,$new_width,$new_height,ImageSX($srcimg),ImageSY($srcimg))
 	             or die('Problem In resizing');
 	         }
 	         ImageJPEG($destimg,$prod_img_thumb,90)
 	             or die('Problem In saving');
 	         imagedestroy($destimg);
 	     }
		$avatar = $userfile_name;
		$username = $session->username;
		$query = "UPDATE `users` SET `avatar` = '$avatar' WHERE `username` = '$username'";
		if ( !mysql_query( $query ) ) { 
   	 		die("There was an error, please try again."); 
		}
 	     echo '
 	        <label for="img">Image uploaded</label><br /><img src="'.$prod_img_thumb.'" width="'.$new_width.'" heigt="'.$new_height.'">';
 	 }else{
 	     echo '
 	     <form method="POST" action="'.$_SERVER['PHP_SELF'].'?tab=avatar" enctype="multipart/form-data">';
		echo '<label>Current Avatar</label>';
		echo '<br />';

		if ($req_user_info['avatar'] == '' OR $req_user_info['avatar'] == 'not entered')
	{ 
	print "<img src=\"../images/avatars/no_log.jpg\" alt=\"profile-image\" width=\"120px\" border=\"1px\"/>";
	}
Else  
	{
	print "<img src=\"../images/avatars/".$req_user_info['avatar']."\" alt=\"avatar_".$username."\" width=\"120px\"/>";
	}
echo '<br />';
echo'
 	     <input type="file" name="image"><p>
 	     <input type="Submit" name="Submit" value="Submit">
 	     </form>';
 	 }
 	 ?>


Ok found out the security issue was he was able to upload php files to execute them with this. Now i need to find out how to secure file uploads.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back