Simple PHP password protect.

Forum Moderators: coopster

Message Too Old, No Replies

Simple PHP password protect.

Is there a vulnerability?

j4mes

5:51 pm on May 26, 2004 (gmt 0)

Hey,

I threw together a quick-n-dirty PHP password protect for someone who asked me for one, but I then became aware that there may be a vulnerability associated with working like this that might give someone unauthorised access?

Security isn't really that much of an issue, but it'd be nice to know for the future so I can make a workaround.


<html>
<head></head>


<body>


//if bit


<?php


$username = "username";
$password = "password";


if ($_POST['txtUsername']!= $username ŚŚ $_POST['txtPassword']!= $password) {

?>


<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">


Username: <input type="text" name="txtUsername" />
Password: <input type="password" name="txtPassword" />
<input type="submit" value="Submit" />


</form>


//else bit


<?php


else {

?>


<p> passworded bit </p>


<?php

?>


</body>
</html>

If anyone knows what the vulnerability/exploit is I'd really appreciate it.

Thanks

-- James.

dcrombie

6:44 pm on May 26, 2004 (gmt 0)

I don't have a problem with it ;)

If someone gets their hands on the raw PHP though, then they get your password. To fix that you could generate a crypt [php.net] for the password string and compare it with the crypt of what is entered.

Or, if you have access to .htaccess you can use that to create a password-protected directory. Anything in the directory is then protected.

If you don't have a secure key (https) then the password is transmitted as plain text in both cases and can (in theory) be intercepted on any server between the browser and the host. Probably not a big issue here.

j4mes

6:56 pm on May 26, 2004 (gmt 0)

Would it be possible for your average user to access raw PHP? I'd have thought the server would parse it regardless of the request, unless there's some way round it?

dcrombie

7:02 pm on May 26, 2004 (gmt 0)

Not generally unless you've done something crazy like enable .phps for your whole site.

Anyway, given that the password and the information you want to protect are in the same file the point is moot ;)

QuazBotch

1:55 am on May 27, 2004 (gmt 0)

Maybe you could store the user name and password in another file, and use htaccess to block that to be extra uber secure.

Maybe CHMOD could be used to block access too?

jatar_k

2:59 am on May 27, 2004 (gmt 0)

I store all files with passwords above the document root or in a db

both of these situations make it difficult to call through a browser but easy to include or query

j4mes

9:26 am on May 27, 2004 (gmt 0)

But is all that worth the effort if the simple PHP password is as secure as dcrombie says it is?

coopster

2:06 pm on May 27, 2004 (gmt 0)

Every little bit of security is well worth the effort if you ask me.

j4mes

3:54 pm on May 27, 2004 (gmt 0)

I agree, but how can this piece of code be got round, short of someone packet sniffing me when I log on?

jatar_k

4:29 pm on May 27, 2004 (gmt 0)

Let me put it this way

the moment you think you have taken enough precautions and that your site is secure, give up because you just lost.

there is always a way around everything

the #1 rule to security is nothing is ever 100% secure. The process of increasing and streamlining your security is a constant process.

How can someone get around it?
I don't know, want me to try? ;)

there is always someone smarter than you out there and they may just want what you have so I always think of security and make adjustments to my scripts/systems.

So you move the passwords above the root of the site and put an include in the file.

why not? security is better and it will take a few seconds to change.

Garfield

5:32 pm on May 29, 2004 (gmt 0)

Another problem ist that if you use a non-encrypted connection, somebody could sniff the headers and receive all data you send to the server. But that is only possible if the attacker somehow gains access to the network (either yours, your providers oder the webservers).

corz

10:55 am on May 30, 2004 (gmt 0)

sending an MD5 is precicely as insecure as sending a plaintext password. if anyone in the relay chain sniffs it, you are compromised. for most sites, it wouldn't be likely, or disasterous.

the best authentication systems involve the server sending a unique random hash to each browser loading the login page, which is then combined client-side (with JavaScript, for instance) and an MD5 (preferably SHA1) hash of the combined string (random session-unique hash, and password) is returned to the server by your login form.

even an unscrupulous ISP, or proxy server with access to your full HTTP headers couldn't utilise the data, each session is unique, requires a unique login. I've been messing about with this recently for my site's admin page.

password files always as includes, yes, even inside a web directory is okay (some folk ahve no choice), so long as your file permissions are tight. Using .ht_something for the password fiename gives you an extra layer of protection. or you can add some .htaccess to ignore requests for whatever filename you choose.

anyway, I'm supoosed to be winding down..

zzz..

;o)
(or