CODEWITHSUNDEEP
phpsecuritynginx
CP3O
CP3O

Reputation: 429

How can I prevent scripts from being executed directly from the URL?

We've recently discovered that certain scripts (if you know the path) can be executed directly from outside the website. (ideally the only way to execute a script should be by ssh-ing into the server or by setting a cron (or application features)

exmple.com/scripts_directory/script_sub_dir_1/script_1_name.php

Similarly we've discovered that a lot of images and videos can be accessed directly from outside the website, directly from the media file's path.

exmple.com/media_directory/media_sub_directory/media_file.mp4

Ideally the users of the website are supposed to be logging in to view any of the content since it is copyrighted, and to be paid for.

What can we do to:

  1. protect our site from scripts being executed from the url
  2. protect media files from being accessed (if the user is not logged in/outside the application).

These are some of the links I'm looking at: https://webmasters.stackexchange.com/questions/84615/protecting-video-being-from-downloaded Prevent direct access to a php include file

We have an nginx server using php 5.6.

Update:

The following locations are not accessible.

exmple.com/scripts_directory/script_sub_dir_1/

exmple.com/media_directory/media_sub_directory/

exmple.com/scripts_directory/

exmple.com/media_directory/

Upvotes: 1

Views: 1906

Answers (1)

Valdeir Psr
Valdeir Psr

Reputation: 702

Prevent unauthorized people from downloading files.

To block access to the files, you can make a following configuration not Nginx:

In my case the file is: /etc/nginx/sites-available/default

location ~ \.mp4$ {
        rewrite (.*) /download.php?$args last;
}

This code will cause all access to the videos, be redirected to the file download.php

In this file we can check whether or not the user is logged in.

download.php

<?php

/* Current Folder */
define("PATH", __DIR__);

/* Removes arguments from URL. (You can also do this check in nginx.) */
$request_uri = preg_replace("/\?.*/", "", $_SERVER['REQUEST_URI']);

/* File path */
$file = sprintf("%s%s",
        PATH,
        $request_uri);


/**
 * Checks whether the file exists (You can also do this check in nginx.)
 * Add your rule to see if the user has permission.
 */
if( file_exists($file) && Auth::isLogged()) {

        /* The Content-Type you can add "application/octet-stream" */
        header('Content-Type: video/mp4');
        header("Content-Transfer-Encoding: Binary");
        header("Content-disposition: attachment; filename=\"" . basename($file) . "\"");
        readfile($file);
}
elseif (!file_exists($file)) {
        header("HTTP/1.1 404 Not Found");
} else {
        header("HTTP/1.1 401 Unauthorized");
}

Preventing people from accessing PHP files.

To block access to a given script, there are two ways.

  1. Add a constant in index.php and check the other files if it has already been created. If it was not created by index.php, it displays an error message.

index.php

<?php

define("APP_VERSION", "1.0.0");

my_script.php

<?php

if (!defined("APP_VERSION")) {
    die("Error");
}
  1. The other way is by setting a deny all as mentioned in the comments.

In my case the file is: /etc/nginx/sites-available/default

location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
}

# Change path
location ~ /scripts_directory/script_sub_dir_1/.*\.php$ {
    deny  all;
}

You can also allow only a few ip's to have access. To do this simply add: allow YOUR-IP

Upvotes: 3

Related Questions