File access problem

Discussion in 'Web Design and Development' started by Cabbit, Apr 1, 2009.

  1. Cabbit macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #1
    Hey i am running a site of apache and dispite my best efforts my friend can always tell me the password in http://absolutionguild.net/include/constants.php though i have banned access to it in a .htaccess file

    // ht access file
    <Files constants.php>
    order allow,deny
    deny from all
    </Files>

    Any sugestions of further protecting it.
     
  2. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #2
    Is the .htaccess file located at root or inside the include folder? Even if they have read access to the file, PHP should be executing the code, not displaying it as plain text. They may also still be viewing a cached version of the page. I couldn't view the page in question because my work place has it blocked (they have a lot of things blocked).
     
  3. SrWebDeveloper macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #3
    The link results in a 404 page not found. The include directory is not there either.

    When it's denied the user sees a 403 forbidden error, not a 404 unless the global config of Apache has a rewrite rule added to fool people.

    -jim
     
  4. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #4
    I have the .htaccess on the route and inside the directory. But somehow he is still able to open the file and tell me the password.
     
  5. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #5
    one solution i have thought of is to put the constants file before the publichtml folder

    so it would be

    /
    /constants
    constants.php
    /public_html
    index.php
    /includes
    database.php

    The problem with this is that some pages are 2 folders deep so if i do
    ../../constants/constants.php it only works on the home page and not on other pages so i was thinking of something like include "".$_SERVER['DOCUMENT_ROOT']."/include/constants.php"; but i have no idea how to set that up to go before the document root.
     
  6. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #6
    Like so,
    PHP:
    include $_SERVER['DOCUMENT_ROOT'].'../include/constants.php';
    As far as the page "giving" you the password, can you elaborate? As I mentioned before, a PHP file should be executed and not shown as plain text, so even when they access the page directly, they shouldn't be able to see the code.
     
  7. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #7
    Somehow he is able to download the file and view the password without access to the ftp login, he is doing it via browser exploits only.
     
  8. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #8
    Do you have anonymous FTP turned on? That's pretty much the only way he'd be able to download the file that way unless he knows your account info.
     
  9. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #9
    I don't see any entries other than myself in the ftp log. Unless anonymous ftp is not logged.
     
  10. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #10
    Have you looked at your access logs as well to see if you can see when the file was downloaded? Though generally I don't think include files get listed.

    I also came across a PHP exploit that could potentially be related that you can take a read through. Not completely sure how to detect if the exploit is occurring though.
     
  11. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #11
    Ok well i got the database constants in a file higher than the web directory. with luck that should make it much more secure.
     
  12. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #12
    >.< he can still access it "anything php can see i can see", so i am stumped.
     
  13. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #13
    Are you sure he's not just lying about seeing it? Just ask him how he does it. If he doesn't give an answer, report him.
     
  14. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #14
    he is telling me the password as soon as i set it but he is not telling me how he is getting hold of it.
     
  15. SrWebDeveloper macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #15
    Make sure the permissions on the file (on the server) are 644 to see if that's the cause. The only other way is if he has file access to your server or directory listing access where he can download the file. He is apparently getting the file BEFORE it's interpreted, so this advice is step one before looking at other causes, such as hacked FTP access, shell access, etc.

    This infers "chmod 644"

    -jim
     
  16. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #16
    ok well i will try this and change the ftp password and the database password again and see if he can get it this time
     
  17. SrWebDeveloper macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #17
    Smart moves. Beyond that if it happens again refer to that link added previous with the exploits and check each out carefully. Or, you could simply plant a small nuclear device inside your "friends" computer triggered when that filename shows up via a keystroke logger and that would surely solve the problem.

    Um, I'm kidding, for those who think we condone such things here on MacRumors. Well, we do, but you know what I mean!

    -jim
     
  18. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #18
    PHP:
      <?php
        
    echo '<p>Only .jpeg files are currently supported.</p>';
         if(isset(
    $_POST['Submit']))
          {
              
    $size 150// the thumbnail height
              
    $filedir '../images/original/'// the directory for the original image
              
    $thumbdir '../images/avatars/'// the directory for the thumbnail image
              
    $prefix ''// the prefix to be added to the original name
              
    $maxfile '2000000';
              
    $mode '0666';
              
    $userfile_name $_FILES['image']['name'];
              
    $userfile_tmp $_FILES['image']['tmp_name'];
              
    $userfile_size $_FILES['image']['size'];
              
    $userfile_type $_FILES['image']['type'];
              if (isset(
    $_FILES['image']['name'])) 
              {
                  
    $prod_img $filedir.$userfile_name;
                  
    $prod_img_thumb $thumbdir.$prefix.$userfile_name;
                  
    move_uploaded_file($userfile_tmp$prod_img);
                  
    chmod ($prod_imgoctdec($mode));
                  
    $sizes getimagesize($prod_img);
                  
    $aspect_ratio $sizes[1]/$sizes[0]; 
                  if (
    $sizes[1] <= $size)
                  {
                      
    $new_width $sizes[0];
                      
    $new_height $sizes[1];
                  }else{
                      
    $new_height $size;
                      
    $new_width abs($new_height/$aspect_ratio);
                  }
                  
    $destimg=ImageCreateTrueColor($new_width,$new_height)
                      or die(
    'Problem In Creating image');
                  
    $srcimg=ImageCreateFromJPEG($prod_img)
                      or die(
    'Problem In opening Source Image');
                  if(
    function_exists('imagecopyresampled'))
                  {
                      
    imagecopyresampled($destimg,$srcimg,0,0,0,0,$new_width,$new_height,ImageSX($srcimg),ImageSY($srcimg))
                      or die(
    'Problem In resizing');
                  }else{
                      
    Imagecopyresized($destimg,$srcimg,0,0,0,0,$new_width,$new_height,ImageSX($srcimg),ImageSY($srcimg))
                      or die(
    'Problem In resizing');
                  }
                  
    ImageJPEG($destimg,$prod_img_thumb,90)
                      or die(
    'Problem In saving');
                  
    imagedestroy($destimg);
              }
            
    $avatar $userfile_name;
            
    $username $session->username;
            
    $query "UPDATE `users` SET `avatar` = '$avatar' WHERE `username` = '$username'";
            if ( !
    mysql_query$query ) ) { 
                    die(
    "There was an error, please try again."); 
            }
              echo 
    '
                 <label for="img">Image uploaded</label><br /><img src="'
    .$prod_img_thumb.'" width="'.$new_width.'" heigt="'.$new_height.'">';
          }else{
              echo 
    '
              <form method="POST" action="'
    .$_SERVER['PHP_SELF'].'?tab=avatar" enctype="multipart/form-data">';
            echo 
    '<label>Current Avatar</label>';
            echo 
    '<br />';

            if (
    $req_user_info['avatar'] == '' OR $req_user_info['avatar'] == 'not entered')
        { 
        print 
    "<img src=\"../images/avatars/no_log.jpg\" alt=\"profile-image\" width=\"120px\" border=\"1px\"/>";
        }
    Else  
        {
        print 
    "<img src=\"../images/avatars/".$req_user_info['avatar']."\" alt=\"avatar_".$username."\" width=\"120px\"/>";
        }
    echo 
    '<br />';
    echo
    '
              <input type="file" name="image"><p>
              <input type="Submit" name="Submit" value="Submit">
              </form>'
    ;
          }
          
    ?>

    Ok found out the security issue was he was able to upload php files to execute them with this. Now i need to find out how to secure file uploads.
     

Share This Page