Is Apache enough to prevent unauthorized access?

Question

I've just been assigned to finish the development of an application which has user restricted access. The original developer was a co-op student, as am I.

After looking over his code it seems that the user only ever accesses index.php and the other php pages are called with an Include statement after authenticating the user and then determining the request.

Ie

include __DIR__ . DIRECTORY_SEPARATOR . 'pages' . DIRECTORY_SEPARATOR . $page . 'Logic.php';

However, I noticed a comment in the include files of his web application,

// Since this page can be accessed if the user knows its
// URL, we must check if user has been authenticated and
// authorized through index.php
// todo

He realizes that there is a vulnerability such that a user which may guess the names of certain files can gain unauth access and he suggests performing an additional authorization check at the beginning of each include file.

I've learned a little bit about Apache and I know it can restrict user access to certain files and/or directories. However, if I did this, I'm not sure if it is enough and if I should also code in some auth checks additional to the one in index.php.

Answer 1

If it's configured well, Apache itself with a little tweak can handle some basic attacks.

You can learn about preventing direct access to a file using .htaccess, because some attackers will place a backdoor to gain access and they have to access the backdoor directly. This tutorial can be a good start to learn about it.

You also can set up a basic privileges using apache , so it's only accessible to authorized people.

If you love to tinkering more, you can start to learn about using mod_security to prevents some advanced attacks, just make sure that you won't get in to a trouble because of your own configurations since some configurations will trigger false positives. You can apply some free rules from OWASP so you can learn about how it works. Or if you need more advanced rules, you can buy the official rules from trustwave (yes, it's expensive), or buy cheaper rules from atomicorp (cheaper, more complete rules, but sometimes giving a lot of false positives).

Answer 2

If the php engine is disabled and direct access to any URL below the pages directory, either in the main config or in a .htaccess file then this is sufficient to prevent people accessing the pages without going through the index.php page. However from your description this is not the case. Further, even with these constraints, it is not a very secure architecture, but how much security you need depends on what you are trying to protect - and you didn't tell us anything about that.

Adding authentication to every script is a very bad way to solve the problem.

Answer 3

It is unfortunate to say, but apache is not, like many, completely safe. The idea is to make it difficult for exploiters, create good structure and organization in your code.