|
PODRĘCZNIK PHP 5.x, 4.x, 3.x - częściowo spolszczony / źródło: www.php.net
[Spis]
[A]
[B]
[C]
[D]
[E]
[F]
[G]
[H]
[I]
[J]
[K]
[L]
[M]
[N]
[O]
[P]
[Q]
[R]
[S]
[T]
[U]
[V]
[X]
[W]
[Z]
Rozdział 32. Hiding PHP
In general, security by obscurity is one of the weakest forms of security.
But in some cases, every little bit of extra security is desirable.
A few simple techniques can help to hide PHP, possibly slowing
down an attacker who is attempting to discover weaknesses in your
system. By setting expose_php = off in your php.ini file, you
reduce the amount of information available to them.
Another tactic is to configure web servers such as apache to
parse different filetypes through PHP, either with an .htaccess
directive, or in the apache configuration file itself. You can
then use misleading file extensions:
Przykład 32-1. Hiding PHP as another language # Make PHP code look like other code types
AddType application/x-httpd-php .asp .py .pl |
|
Or obscure it completely:
Przykład 32-2. Using unknown types for PHP extensions # Make PHP code look like unknown types
AddType application/x-httpd-php .bop .foo .133t |
|
Or hide it as HTML code, which has a slight performance hit because
all HTML will be parsed through the PHP engine:
Przykład 32-3. Using HTML types for PHP extensions # Make all PHP code look like HTML
AddType application/x-httpd-php .htm .html |
|
For this to work effectively, you must rename your PHP files with
the above extensions. While it is a form of security through
obscurity, it's a minor preventative measure with few drawbacks.
User Contributed Noteseric at ericwing dot net
20-Jan-2006 06:20
Something that has not been mentioned here is also the PHPSESSION id that will be displayed in the URL when passing it from page to page using GET. If users have cookies set to off, this will be visible. This can be reset before any session_start() call with ini_set(). Be aware however that this can't be changed in this way if you use autho session start.
dyer85 at gmail dot com
31-Dec-2005 09:55
Although it's probably obvious to most people, Yavuz Darendelioglu's post below utilizes a method that will only work on a *nix OS, not Windows, and probably not Mac.
Also, his regex uses some superfluous matching, instead, write the redirect like so: (you don't really need to use absolute path when redirecting to a resource on the same server, either):
RedirectMatch (?:awstats|xmlrpc) /deny.php
28-Dec-2005 04:29
Even you hide your PHP, requests for bugy scripts still come.
No matter whether you have the script on your server or not.
You can make an additional step for those requests. Since the host now trying that buggy script then, in the future when a new bug arises it will be tried by that host again with a high possibility. So banning that host completey at its first attempt may be a good idea. For this,
1- Add Permanent links for those requests in your httpd.conf:
RedirectMatch permanent (.*)awstats(.*)$ http://your_server/your_script.html
RedirectMatch permanent (.*)xmlrpc(.*)$ http://your_server/your_script.html
and add whatever you want to ban.
2- Write following code in your_script.html
<?
$host= $_SERVER['REMOTE_ADDR'];
$dropit = "iptables -A INPUT -i eth0 -p tcp -s $host -m multiport --destination-ports 80,25,22 -j DROP";
shell_exec($dropit);
exit
?>
Yavuz Darendelioglu
user at pampelhuber dot invalid
18-Dec-2005 01:32
It is unnecessary, to let every Pampelhuber inspect your 'php.ini' files.
Put the following into the .htaccess of your htdocuments' root:
#Obscure 'php.ini' files (where they exist)
RedirectMatch 404 .*php\.ini$
jtw90210
30-Jun-2005 10:19
In order to get the PATH_INFO to work in order to pass parameters using a hidden program/trailing slash/"pretty url" in more recent versions of PHP you MUST add "AcceptPathInfo On" to your httpd.conf.
AddType application/x-httpd-php .php .html
AcceptPathInfo On
Try it out with your phpinfo page and you'll be able to search for PATH_INFO.
http://yourserver.com/myphpinfo.php/showmetheway
If you want to drop the .php use one or both of these:
DefaultType application/x-httpd-php
ForceType application/x-httpd-php
25-May-2005 10:06
You could also do this in .htaccess when you use Apache and your configuration allows you to override :
<Files test>
ForceType application/x-httpd-php
</Files>
That way, you can use the URL test?pop=true without having to fake it by using test/index.php.
See the Apache manual for more info: http://httpd.apache.org/docs/mod/mod_mime#forcetype
benjamin at sonntag dot fr
24-May-2005 06:14
In response to the previous messages, for apache, there is a easier way to set files without "." to be executed by PHP, just put this in a ".htaccess" file :
DefaultType application/x-httpd-php
dimitar at bastun dot net
17-Jan-2005 06:13
In case there are an Internal Server error(error 500) using the old code below in an .htaccess file, you can replace it with the code modification that must solve the problem.
Old code
-----------
<Files ~ "^[^\.]+$">
ForceType application/x-httpd-php
</Files>
Replacement of the code above(code modification)
------------------------------------------------------------
AddHandler server-parsed .php
<Files ~ "^[^\.]+$">
SetHandler application/x-httpd-php
</Files>
Regards,
Dimitar Tanev
Nikolai-Zujev-(at)-Gmail-dot-Com
22-Sep-2004 09:22
Assign files w/o extension to php interpreter
without using ReWrite module
[clip httpd.conf]
<Files ~ "^[^\.]+$">
ForceType application/x-httpd-php
</Files>
[/clip]
php at vfmedia dot de
15-Jun-2004 03:21
| 
