Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Trick to secure web page

  1. Home
  2. Articles
  3. Security
  4. Trick to secure web page

Trick to secure web page

By ghostghost | 5013 Reads |
0     0

In this article i'm going to show you basic thing you can do to keep you're site more secure.

  1. Hide PHP File

You may have seen this type of protecting system on some site but you ask youreself how can they block me from executing a script by querying is real name but it can be execute if it's include by an other file …

$cCurl = rawurlencode($_SERVER[\"PHP_SELF\"]);
$cCurl = str_replace(\"%2F\",\"/\",$cCurl);

if ($_SERVER[\"REQUEST_URI\"] == $cCurl)
{
	header(\"HTTP/1.x 404 Not Found\");
	// or include(\"404.php\");
	exit;
}

In the two first line we are looking for what would be the request url if the personn query it. Note, in some site you might need to replace the $_SERVER["PHP_SELF"] to $_SERVER["SCRIPT_FILENAME"] or other value … depending of the php version.

After that at line 4 we are looking if the personn request this page or an other page. If he request this page we are going to show him the apache 404 not found error. If the header doesn't work just do a include of this code :

<?php
echo \"<!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL {$_SERVER[\'PHP_SELF\']} was not found on this server.<P>
<HR>
<ADDRESS>{$_SERVER[\'SERVER_SIGNATURE\']}</ADDRESS>
</BODY></HTML>\";
?>

This is won't work if the personn request the page with some argument like config.php?test=test but it should be enough to convince someone that is exploring you're site that the page doesn't exist …

  1. Remove Directory Listinning

This is simple thing that disabled the option to show the directory content if there is no file index.

You must create a .htaccess file and put this line in :

Options -Indexes

If you want to do the opposite because you're site default config is at "Options -Indexes" it's :

Options +Indexes
  1. Forbidden Directory and File

This is also a simple .htaccess trick to protect directory :

<Files *>
order allow,deny
deny from all
</Files>

This make all the file in the directory 403 Forbidden. If you want specific file to be 403 Forbidden it's :

<Files yourfile.php>
order allow,deny
deny from all
</Files>

or just for an extension

<Files *.forbidden_extension>
order allow,deny
deny from all
</Files>

Hope you enjoy this article and it helped you. Also sorry for my bad english.

Arto_8000

Comments
SySTeM's avatar
SySTeM 17 years ago

Nice article arto, good job!

ghost's avatar
ghost 17 years ago

Interestin' read, thanks.