1,105,585 Community Members

Accessing php files above document root with AJAX

Member Avatar
diafol
Where are my eyes?
12,980 posts since Oct 2006
Reputation Points: 1,821 [?]
Q&As Helped to Solve: 1,848 [?]
Skill Endorsements: 92 [?]
Moderator
Featured
Sponsor
 
0
 

Hi all, I've been using ajax for a while and I've been storing my trivial php include files in the public directory tree. Then I thought, I really should be putting my classes and includes above the public document root (as I used to do before I started dabbling with ajax).

I know js can't access anything above document root, but a php file called by ajax js could. That just seems like a fudge to me (?).

I suppose the php file being called by ajax HAS to be within doc root otherwise it couldn't work. Seeing as headers can be spoofed, it's almost impossible to protect against remote-site calling of these php files. Can't help thinking of some sort of session variable...

Has anybody out there any experience of this? How did you overcome it? Or am I missing something here?

Member Avatar
pritaeas
mod_pritaeas
11,315 posts since Jul 2006
Reputation Points: 1,420 [?]
Q&As Helped to Solve: 1,835 [?]
Skill Endorsements: 156 [?]
Moderator
Featured
Sponsor
 
2
 

I think you'll have to do some kind of shared token exchange. I have been working on it, but due to lack of time it isn't finished yet.

Basically, using a timestamp and a shared and private key, you can authenticate your request. This of course has to be generated before the output of your page (in PHP), because again, Javascript only is not secure enough for it.

In addition, you can restrict use of the private key to a session (they have to be logged in to your site) and/or an IP address.

Member Avatar
diafol
Where are my eyes?
12,980 posts since Oct 2006
Reputation Points: 1,821 [?]
Q&As Helped to Solve: 1,848 [?]
Skill Endorsements: 92 [?]
Moderator
Featured
Sponsor
 
0
 

Thanks pritaeas - I've been thinking along the lines of keys/tokens, but haven't got the knowledge to implement it (yet!). You've given me a bit to think about :)

Member Avatar
pritaeas
mod_pritaeas
11,315 posts since Jul 2006
Reputation Points: 1,420 [?]
Q&As Helped to Solve: 1,835 [?]
Skill Endorsements: 156 [?]
Moderator
Featured
Sponsor
 
0
 

I still want to build this, so should I get it working anytime soon, I'll let you know. If you get enlightened, please let me know.

Member Avatar
diafol
Where are my eyes?
12,980 posts since Oct 2006
Reputation Points: 1,821 [?]
Q&As Helped to Solve: 1,848 [?]
Skill Endorsements: 92 [?]
Moderator
Featured
Sponsor
 
0
 

Nice one, I'll try to work on something my end as well. I'm working on a hub idea as the mo:

all ajax calls go to one hub file with a post parameter -> include appropriate above root file. If I can just secure the hub...(your idea sounds good for this)

Will leave this thread open for now as I'll probably come back to it with any progress.

Member Avatar
pritaeas
mod_pritaeas
11,315 posts since Jul 2006
Reputation Points: 1,420 [?]
Q&As Helped to Solve: 1,835 [?]
Skill Endorsements: 156 [?]
Moderator
Featured
Sponsor
 
0
 
Member Avatar
diafol
Where are my eyes?
12,980 posts since Oct 2006
Reputation Points: 1,821 [?]
Q&As Helped to Solve: 1,848 [?]
Skill Endorsements: 92 [?]
Moderator
Featured
Sponsor
 
0
 
Member Avatar
diafol
Where are my eyes?
12,980 posts since Oct 2006
Reputation Points: 1,821 [?]
Q&As Helped to Solve: 1,848 [?]
Skill Endorsements: 92 [?]
Moderator
Featured
Sponsor
 
1
 

Found a great open source site scanner here:
http://www.subgraph.com/vega_download.php

It seems my techniques weren't as sound as I thought. 6 shell injection possibilities!

Looks like it's back to the drawing board for a few routines. :)

Oooo... the tempatation to run it against something that's not mine...

Member Avatar
pritaeas
mod_pritaeas
11,315 posts since Jul 2006
Reputation Points: 1,420 [?]
Q&As Helped to Solve: 1,835 [?]
Skill Endorsements: 156 [?]
Moderator
Featured
Sponsor
 
0
 

Addition: I forgot I have the "RESTful PHP Web Services" eBook from Packt. One of the frameworks mentioned in it, which is looking promising is WSO2/WSF. Other ones mentioned are dbScript, Konstrukt, Madeam, Tonic and Zend.

Member Avatar
diafol
Where are my eyes?
12,980 posts since Oct 2006
Reputation Points: 1,821 [?]
Q&As Helped to Solve: 1,848 [?]
Skill Endorsements: 92 [?]
Moderator
Featured
Sponsor
 
0
 

Ha ha ha - my nose just exploded over the screen! Had a look at it and decided my current level of understanding falls well below that required to make any sense of it. :(

I went here and found some stuff that my *simple* brain could cope with.

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern

What do you reckon? Will this work with a standard ajax call?

Member Avatar
pritaeas
mod_pritaeas
11,315 posts since Jul 2006
Reputation Points: 1,420 [?]
Q&As Helped to Solve: 1,835 [?]
Skill Endorsements: 156 [?]
Moderator
Featured
Sponsor
 
0
 

Basically yes, although instead of random I'd use a token encrypted with a private key, so it can change between requests, and can be verified. Don't forget to include a timeout for each token, makes hijacking more tedious.

But that depends on whether you think you need it.

Member Avatar
diafol
Where are my eyes?
12,980 posts since Oct 2006
Reputation Points: 1,821 [?]
Q&As Helped to Solve: 1,848 [?]
Skill Endorsements: 92 [?]
Moderator
Featured
Sponsor
 
0
 

But that depends on whether you think you need it.

That's the thing.

I'm just using a standard jQuery .post or .ajax call to an include file with post parameters for updating/inseting to MySQL and using json for the response.

I've been getting warnings (Vega) saying that the file directory is being disclosed (as in

url: includes/ajaxcall.php;

The calls are the result of link / button clicks so I assume that passing a token stored in a html element on the page or even placed into a js variable could then be checked in the ajaxcall.php file, if it's based on the session id with and I use a timeout value.

I'm slowly getting my head around this...

Question Answered as of 2 Years Ago by pritaeas
You
This question has already been solved: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: