Accessing php files above document root with AJAX
Hi all, I've been using ajax for a while and I've been storing my trivial php include files in the public directory tree. Then I thought, I really should be putting my classes and includes above the public document root (as I used to do before I started dabbling with ajax).
I know js can't access anything above document root, but a php file called by ajax js could. That just seems like a fudge to me (?).
I suppose the php file being called by ajax HAS to be within doc root otherwise it couldn't work. Seeing as headers can be spoofed, it's almost impossible to protect against remote-site calling of these php files. Can't help thinking of some sort of session variable...
Has anybody out there any experience of this? How did you overcome it? Or am I missing something here?
diafol
Keep Smiling
10,826 posts since Oct 2006
Reputation Points: 1,675
Solved Threads: 1,532
Skill Endorsements: 61
I think you'll have to do some kind of shared token exchange. I have been working on it, but due to lack of time it isn't finished yet.
Basically, using a timestamp and a shared and private key, you can authenticate your request. This of course has to be generated before the output of your page (in PHP), because again, Javascript only is not secure enough for it.
In addition, you can restrict use of the private key to a session (they have to be logged in to your site) and/or an IP address.
pritaeas
Posting Prodigy
9,533 posts since Jul 2006
Reputation Points: 1,194
Solved Threads: 1,494
Skill Endorsements: 98
Thanks pritaeas - I've been thinking along the lines of keys/tokens, but haven't got the knowledge to implement it (yet!). You've given me a bit to think about :)
diafol
Keep Smiling
10,826 posts since Oct 2006
Reputation Points: 1,675
Solved Threads: 1,532
Skill Endorsements: 61
I still want to build this, so should I get it working anytime soon, I'll let you know. If you get enlightened, please let me know.
pritaeas
Posting Prodigy
9,533 posts since Jul 2006
Reputation Points: 1,194
Solved Threads: 1,494
Skill Endorsements: 98
Nice one, I'll try to work on something my end as well. I'm working on a hub idea as the mo:
all ajax calls go to one hub file with a post parameter -> include appropriate above root file. If I can just secure the hub...(your idea sounds good for this)
Will leave this thread open for now as I'll probably come back to it with any progress.
diafol
Keep Smiling
10,826 posts since Oct 2006
Reputation Points: 1,675
Solved Threads: 1,532
Skill Endorsements: 61
pritaeas
Posting Prodigy
9,533 posts since Jul 2006
Reputation Points: 1,194
Solved Threads: 1,494
Skill Endorsements: 98
diafol
Keep Smiling
10,826 posts since Oct 2006
Reputation Points: 1,675
Solved Threads: 1,532
Skill Endorsements: 61
Found a great open source site scanner here:
http://www.subgraph.com/vega_download.php
It seems my techniques weren't as sound as I thought. 6 shell injection possibilities!
Looks like it's back to the drawing board for a few routines. :)
Oooo... the tempatation to run it against something that's not mine...
diafol
Keep Smiling
10,826 posts since Oct 2006
Reputation Points: 1,675
Solved Threads: 1,532
Skill Endorsements: 61
Addition: I forgot I have the "RESTful PHP Web Services" eBook from Packt. One of the frameworks mentioned in it, which is looking promising is WSO2/WSF. Other ones mentioned are dbScript, Konstrukt, Madeam, Tonic and Zend.
pritaeas
Posting Prodigy
9,533 posts since Jul 2006
Reputation Points: 1,194
Solved Threads: 1,494
Skill Endorsements: 98
Ha ha ha - my nose just exploded over the screen! Had a look at it and decided my current level of understanding falls well below that required to make any sense of it. :(
I went here and found some stuff that my *simple* brain could cope with.
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern
What do you reckon? Will this work with a standard ajax call?
diafol
Keep Smiling
10,826 posts since Oct 2006
Reputation Points: 1,675
Solved Threads: 1,532
Skill Endorsements: 61
Basically yes, although instead of random I'd use a token encrypted with a private key, so it can change between requests, and can be verified. Don't forget to include a timeout for each token, makes hijacking more tedious.
But that depends on whether you think you need it.
pritaeas
Posting Prodigy
9,533 posts since Jul 2006
Reputation Points: 1,194
Solved Threads: 1,494
Skill Endorsements: 98
But that depends on whether you think you need it.
That's the thing.
I'm just using a standard jQuery .post or .ajax call to an include file with post parameters for updating/inseting to MySQL and using json for the response.
I've been getting warnings (Vega) saying that the file directory is being disclosed (as in
url: includes/ajaxcall.php;
The calls are the result of link / button clicks so I assume that passing a token stored in a html element on the page or even placed into a js variable could then be checked in the ajaxcall.php file, if it's based on the session id with and I use a timeout value.
I'm slowly getting my head around this...
diafol
Keep Smiling
10,826 posts since Oct 2006
Reputation Points: 1,675
Solved Threads: 1,532
Skill Endorsements: 61
Question Answered as of 1 Year Ago by
pritaeas 
RSS Feed