Stopping a piece of PHP from being accessed unless it is being called by something...

[Bes]

Hi

I have a php file which does some work with MagickWand based on a load of parameters passed to it by a form. It returns an altered image.

Is there a way I can configure Apache or the PHP so nothing can actually access the PHP code and make it do any processing unless it is called explicitly by a certain page (or pages from a certain directory)? I ask as I can see it being open to some abuse as things stand....

Thanks

 

[Butters]

Do you know about PHP sessions?

 

[Bes]

Do you know about PHP sessions?

No I'm quite new to PHP.

 

[Inquisitor]

Does it need to be public? You could just put a password on it.

 

[yhack]

You could use $_SERVER['HTTP_REFERER'] and see whether it's from the right page.

 

[Inquisitor]

You could use $_SERVER['HTTP_REFERER'] and see whether it's from the right page.

Very easy to spoof.

 

[yhack]

You could make a form with a hidden field and post that, then see if it exists when they get there.

 

[Inquisitor]

You could make a form with a hidden field and post that, then see if it exists when they get there.

Still easy to spoof.

The best approach, if the form must be public, would be to have a hidden field that contains a single-use server-generated token.

The receiving PHP script checks this token to see if it's valid, and if not, denies the request. You could also put a time-out on tokens.

 

[robmiller]

You probably want a nonce. Set a token when the user views the form, and display the token as a hidden form field; then when the form is submitted check that the submitted token matches the one stored in the session. If they don't match or if no token is submitted, discared the request.

Edit: you can of course replace "hidden for field" with a query string parameter on a regular link.

 

[Inquisitor]

Too slow old man.

 

[robmiller]

no u

 

[Dj_Jestar]

erm.. am I missing something? Place the "dangerous" file in a directory above the document root, then only include() it where you want it?!

 

[Inquisitor]

erm.. am I missing something? Place the "dangerous" file in a directory above the document root, then only include() it where you want it?!

I'm assuming the script is public but should only be accessible if directed to it from another page on the site. Whether it's included from another file doesn't make a whole lot of a difference if it needs to be publicly accessible

 

[Dj_Jestar]

It does make a difference. It makes it a hell of a lot easier.

<?php

if (isset($_POST['password']) && $_POST['password'] === 'supersecretpassword') {
  include('/path/outside/of/document/root/hazardousfile.php');
} else {
  echo '<form action="" method="post">' .
       '<input type="password" name="password" />' .
       '<br />' .
       '<input type="submit" />' .
       '</form>';
}

?>

 

[Inquisitor]

In which case you could just incorporate that into the 'dangerous' file itself and put it beneath the docroot

 

[Bes]

Thanks all... The token approach sounds pretty bulletproof to me.

 

[meghatronic]

Thanks all... The token approach sounds pretty bulletproof to me.

.... Nothing's bulletproof But that is a pretty neat solution.

 

[Bes]

.... Nothing's bulletproof But that is a pretty neat solution.

No but no one is gonna care enough to bother trying to crack it

 

[Dj_Jestar]

In which case you could just incorporate that into the 'dangerous' file itself and put it beneath the docroot

Would be daft to do so, considering it will be reused on many pages

 

[Inquisitor]

Would be daft to do so, considering it will be reused on many pages

I think what the OP meant was that there would be loads of pages that would send the browser to this script, not loads of pages that would use it directly, hence the necessity of tokens/nonces.