Apache是否足以防止未经授权的访问?
[英]Is Apache enough to prevent unauthorized access?
问题描述
I've just been assigned to finish the development of an application which has user restricted access. 
我刚刚被分配完成具有用户受限访问权限的应用程序的开发。 The original developer was a co-op student, as am I. 最初的开发者和我一样都是合作社学生。
After looking over his code it seems that the user only ever accesses index.php and the other php pages are called with an Include statement after authenticating the user and then determining the request. 在查看了他的代码之后,看来用户仅访问过index.php,而其他的php页面在对用户进行身份验证并确定请求后才通过Include语句调用。
Ie 即
include __DIR__ . DIRECTORY_SEPARATOR . 'pages' . DIRECTORY_SEPARATOR . $page . 'Logic.php';
However, I noticed a comment in the include files of his web application, 但是,我注意到他的网络应用程序的包含文件中有一条评论,
// Since this page can be accessed if the user knows its
// URL, we must check if user has been authenticated and
// authorized through index.php
// todo
He realizes that there is a vulnerability such that a user which may guess the names of certain files can gain unauth access and he suggests performing an additional authorization check at the beginning of each include file. 他意识到存在一个漏洞,使得可以猜测某些文件名称的用户可以获得未经身份验证的访问权限,他建议在每个包含文件的开头执行其他授权检查。
I've learned a little bit about Apache and I know it can restrict user access to certain files and/or directories. 我已经了解了一些有关Apache的知识,并且知道它可以限制用户对某些文件和/或目录的访问。 However, if I did this, I'm not sure if it is enough and if I should also code in some auth checks additional to the one in index.php. 但是,如果我这样做了,我不确定是否足够,是否还应该在index.php中的一些auth检查中编写代码。
3 个解决方案
解决方案1
1 已采纳 2015-02-04 04:10:53
If it's configured well, Apache itself with a little tweak can handle some basic attacks. 如果配置正确,Apache本身只需稍作调整即可处理一些基本攻击。
You can learn about preventing direct access to a file using .htaccess, because some attackers will place a backdoor to gain access and they have to access the backdoor directly. 您可以了解有关使用.htaccess防止直接访问文件的信息,因为某些攻击者将放置后门以获得访问权限,而他们必须直接访问后门。 This tutorial can be a good start to learn about it. 本教程可以成为学习它的一个很好的开始。
You also can set up a basic privileges using apache , so it's only accessible to authorized people. 您还可以使用apache设置基本权限 ,因此只有授权人员才能访问。
If you love to tinkering more, you can start to learn about using mod_security to prevents some advanced attacks, just make sure that you won't get in to a trouble because of your own configurations since some configurations will trigger false positives. 如果您喜欢修改更多内容,则可以开始学习使用mod_security来防止某些高级攻击,只需确保您不会因为自己的配置而陷入麻烦,因为某些配置会触发误报。 You can apply some free rules from OWASP so you can learn about how it works. 您可以从OWASP应用一些免费规则,以便了解其工作原理。 Or if you need more advanced rules, you can buy the official rules from trustwave (yes, it's expensive), or buy cheaper rules from atomicorp (cheaper, more complete rules, but sometimes giving a lot of false positives). 或者,如果您需要更高级的规则,则可以从trustwave购买正式规则 (是的,它很昂贵),或者从atomorop购买更便宜的规则 (更便宜,更完整的规则,但有时会带来很多误报)。
解决方案2
1 2015-02-06 23:23:44
If the php engine is disabled and direct access to any URL below the pages directory, either in the main config or in a .htaccess file then this is sufficient to prevent people accessing the pages without going through the index.php page. 如果php引擎被禁用并直接访问页面目录下的任何URL,无论是在主配置中还是.htaccess文件中,那么这足以防止人们无需浏览index.php页面即可访问页面。 However from your description this is not the case. 但是从您的描述来看并非如此。 Further, even with these constraints, it is not a very secure architecture, but how much security you need depends on what you are trying to protect - and you didn't tell us anything about that. 此外,即使有这些限制,它也不是一个非常安全的体系结构,但是您需要多少安全性取决于您要保护的内容-您没有告诉我们任何相关信息。
Adding authentication to every script is a very bad way to solve the problem. 向每个脚本添加身份验证是解决问题的非常糟糕的方法。
解决方案3
0 2015-02-06 22:37:40
It is unfortunate to say, but apache is not, like many, completely safe. 不幸的是,但是与许多人相比,Apache并不完全安全。 The idea is to make it difficult for exploiters, create good structure and organization in your code. 这样做的目的是使开发人员很难在代码中创建良好的结构和组织。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.