Reputation: 11269
defending against .html and .php file name guessing
If certain .html files can only be accessed by a password match (implemented in PHP) to a hash code in a database, the user can still guess likely .html file names and see that supposedly privileged page. Viewing the source of the privileged page, the user can then see the name of a .php that is invoked in that .html which might lead to the guessing of the likely POST arguments.
What is the best practice to reduce the temptation to do this type of guessing of names both of the .html and .php file types.
The .htaccess file already has "options -indexes" to prevent listing directories.
Edit: ummm,instead of upvoting that it's a bad implementation, why not upvote one of the suggested answers or write a new one. It's obvious that it's a bad implementation, that's why this question was posted.
Upvotes: 2
Views: 116
Answers (4)
Reputation: 11269
Reading the comments and suggested answers has me thinking that a good solution is to have every file that needs security query the database to determine if the "authenticated" state still applies at this point in time.
Implement the "per request check" as described here wherever there is a vulnerability.
If STT LCU will convert his comment into a posted answer, I will delete this answer.
Upvotes: 0
Reputation: 1379
to do that you need to use some kind of router.
I highly recommend slim framewrok, but you can easily develop your one.
First restrict all the .html and .php files in htaccess except of the main index.php (or however you want to call it).
Then in index.php you check if user is allowed to see the file. If yes you include the file in outpout if not show 404.
In slim you can easily use ready made middlewares for authentications.
http://docs.slimframework.com/ to learn more about routing.
http://docs.slimframework.com/#Middleware-Overview to learn about middleware
https://github.com/tuupola/slim-basic-auth/ for simple authentication and examples.
Upvotes: 0
Reputation: 2763
The only way to defend yourself from filename guessing, but still being able to provide that pages to some users is to leverage user accounts, logins and authenthications.
Other than that, you can set .htaccess to deny from all IP's, with some exceptions.
Upvotes: 0
Reputation: 3031
If you only ever include these pages inside other pages, deny access to them in .htaccess
If you want them to be accessible, but only to authorized users, password protect it or provide other authentcation
Preventing people guessing the name of a page is "security through obscurity", which should never be relied upon. Set your system up with that assumption that everything is visible, and work your security out from that
Upvotes: 2
Related Questions
- Whats the conventional naming of php files?
- Password protect automatically generated .html files
- Need information about file safety
- Securing php files on my website
- best secured way to guess file extension
- how can php know which html-file called it
- Get the name of a HTML file from a PHP script
- PHP make file only available in code
- Security with PHP and HTML
- Protecting HTML files with .htaccess