防止直接访问php include
[英]prevent direct access to a php include
问题描述
I have a php script PayPal eStores/dl_paycart but it has PayPal eStores "settings.php" Security Bypass Vulnerability 
我有一个PHP脚本PayPal eStores / dl_paycart,但它具有PayPal eStores“ settings.php”安全绕过漏洞
I would like to know if I can prevent direct access to a php include file. 我想知道是否可以阻止直接访问php include文件。
Would this help? 这会有所帮助吗?
defined( '_paycart' ) or die( 'Access to this directory is not permitted' );
Thank you 谢谢
4 个解决方案
解决方案1
1 2009-08-10 23:51:37
I would STRONGLY recommend finding some new script. 我强烈建议您找到一些新脚本。 Any sort of blocking is just sticking a finger in the dam; 任何形式的阻挡都只是在大坝上伸了一根手指。 it isn't a permanent solution and eventually it's going to break. 这不是一个永久性的解决方案,最终将被打破。
If you really want to use it, check out htaccess files, particularly "Order Allow,Deny" and "Deny from All" 如果您真的想使用它,请签出htaccess文件,尤其是“ Order Allow,Deny”和“ Deny from All”
解决方案2
1 2009-08-11 00:08:26
The fact that the script has a .php extension offers some protection - any http or https call for that file will go through the web server which is going to execute the php before serving the request.
该脚本具有.php扩展名的事实提供了一些保护-该文件的任何http或https调用都将通过Web服务器,该Web服务器将在提供请求之前执行php。 I would recommend moving the script to a directory under your public web directory and putting .htaccess file in that directory that either blocks all requests, or requires a password to access it.
我建议将脚本移动到公共Web目录下的目录,并将.htaccess文件放在该目录中,该文件会阻止所有请求,或者需要密码才能访问它。 Then include the script when needed by scripts in your public directory. 然后在公共目录中的脚本需要时包括该脚本。 See Apache's .htaccess Tutorial 请参阅Apache的.htaccess教程
解决方案3
1 2009-08-11 03:57:39
The problem is that if someone is able to use "include" and read the code contents, variables, and the like, that means that they are already operating on the same server and, to be a bit crude, you're boned if they try to screw with you. 问题是,如果某人能够使用“ include”并读取代码内容,变量等,这意味着它们已经在同一服务器上运行,并且有点粗略,如果他们使用它们,就会不知所措试着跟你搞砸。
On the other hand, if you're looking to prevent outside access to the file from a remote server, then the include call can only retrieve the values which would be displayed to any external site (and if the question is, "Can I prevent external sites from even loading this file remotely", the answer is "through server configurations in http.conf and .htaccess files" ). 另一方面,如果您希望阻止外部人从远程服务器访问文件,那么include调用只能检索将显示在任何外部站点上的值(如果问题是“我可以阻止吗?外部站点甚至从远程加载此文件”,答案是“通过http.conf和.htaccess文件中的服务器配置”)。
The long and the short, however, is that this is not something which can really be fixed with PHP, this is a server security issue. 总而言之,这不是PHP真正可以解决的问题,这是服务器安全性问题。
解决方案4
0 2009-08-11 02:44:45
Probably the most secure way is something like this 也许最安全的方法是这样的
$allowed_files = array("/paths/", "/that/", "/are/", "/allowed/");
if(!in_array($_SERVER['PHP_SELF'], $allowed_files))
{
die("Not Allowed");
}
Fill the array with Files that you would like to have access. 用您想要访问的文件填充阵列。 (You might have to access PHP self in each page you want and copy and paste it in). (您可能需要在每个想要的页面中访问PHP self,然后将其复制并粘贴到其中)。 This will check to make sure that the file being executed is one of the allowed pages. 这将检查以确保正在执行的文件是允许的页面之一。 If it isn't the script will die. 如果不是,脚本将死亡。
I believe $_SERVER might be able to be changed, but probably won't be. 我相信$ _SERVER可能可以更改,但可能不会更改。 This file will still be able to be gotten using fopen or file_get_contents, and if someone reads it, they will know what to change. 仍然可以使用fopen或file_get_contents来获取此文件,并且如果有人读取它,他们将知道要进行哪些更改。
But I would forewarn, it is not 'completely secure', because there isn't really a way to make something 'completely' secure. 但是我会事先警告,它不是“完全安全”的,因为实际上没有一种方法可以使“完全”安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.