php security

Thread: php security

Search this list only Search all lists
php security
	2006-02-08 14:19:18
Hi !!!!!! I have some weak points in security side /php/ !!!so I want to IMPROVE my skils in php security . !!!! , pleeeeez if you have any resrces or any for example ebook or any thing could help me plaaaaaaaaz tell me, and thanx soo much 4 ur help!!!! thanx in advance

php security
	2006-03-08 13:17:49

ccisecurity.php and filepipe.php are used together ... ccisecurity.php can be used alone but filepipe.php MUST be used and ran through ccisecurity.php the last one soapsecurity.php is a stand alone. all are drops ins that should work with any php page or site with little to no changes neeeded (except in the n_ numeric only variable structure required for sanitization of data in soapsecurity.php) read the text for more info. these are the very best and most comnprehensive security scripts i have ever seen or heard of and are at the core of every php application i develope (with some minor changes as needed hehehe). Kudos to mike parniak of http://voodoochat.com and http://cafecounterintelligence.com for his expertice and benevolence making these ; GPL Open Source scripts enjoy ! [What is the CCI Website Security Script?] The CCI Website Security Script is a drop-in PHP script designed to take on the burdon of dealing with certain common security problems in PHP scripts.  It is made to be added to an existing script to provide immediate, transparent security of varying types. Far, far too often you hear about free scripts having some common vulnerability that has been seen a thousand times in other scripts - people just aren't careful enough when writing scripts.  This script is desiged to try to compensate for some of this carelessness. [What can the CCI Website Security Script defend against?] HTTP REQUEST FLOODS This was the type of problem that the script was originally designed to deal with. ; Programs can be created to flood your website with GET or POST requests in order to bog down the CPU, generate thousands of emails, fill up databases, or whatever.  Very few scripts are set up to deal with this type of attack, and commercial webhosts are prone to discontinuing your account if you are the victim of one (it's their machines that get bogged down).  This script helps protect against this type of attack. SCRIPT DISPLAY VULNERABILITIES By far the most common vulnerability in PHP scripts.  Users find a cgi variable that will be displayed verbatim, and pass through some HTML code (generally some javascript code) that will send a user's cookies or what-not, to their webserver. They use this information to steal their login or worse.  The CCI script has the ability to "sanitize" all GET, POST, and COOKIE data to convert the < > characters to their displayable but non-executable version s. This generally negates the danger of this type of vulnerability. GENERAL FLOOD PROTECTION An additional ability of this script is that you can call it from within your own script to perform time-based checking for flooding of a particular function.  This means you pass it a unique identifier, such as "messageposts" and a time value, such as 60 seconds... and optionally a threshold number (default 1), and the function will return TRUE if it has been called more than <threshold> times by the same user, without the time value number of seconds between the calls.  A very handy feature for script developers. IP BANNING VIA .HTACCESS As an option (that defaults to on) this script can modify your .htaccess file to ban the IPs of users who are abusing your scripts.  This will drastically reduce CPU load due to their attempts, and prevent them from further trying to abuse your system.  You c an call this IP Banning function from your own scripts as well, if you wish to ban certain IPs. For this to work, the script must have write access to your .htaccess file (if one exists). HTML Source Viewing/Stealing The script can automatically wrap pages in a javascript function which either uses the commonly used "escape" obfuscating technique, or cciSecurity's own encryption method which makes it impossible to get the actual source just using the document data. ; It stores the key to the encryption in a cookie, which changes with each request - so unless a user captures the cookie data at the same time as the document, they cannot decrypt it properly after the fact! ; [How do I use this script?] The script is simple to use. Simply add the following line to the very top of your scripts.  For scripts that involve multiple .PHP files, you need only add it to the top of any file that all yo ur files include, though using the require_once function dismisses the danger of adding it to the top of ALL files: require_once("ccisecurity.php"); You may wish to open ccisecurity.php and alter the configuration variables at the top. The default values should work for most systems, though if you wish to tweak the values for your system, it is a good idea to do so before you begin using it. [Configuring cciSecurity] There are a set of variables at the top of cciSecurity.php that you should look over and tweak to your liking.  Any of the options that are more CPU intensive, or might cause problems with some scripts, have been disabled by default.  Trial and error will let you figure out which options are best for your site/script. [Possible Concerns: GZIP encoding / HTML encryption] If you want to use either of these options in conjunction with ccisecurity.php, you need t o make sure your script does not already use gzip encoding.  If it does TURN IT OFF IN YOUR SCRIPT and enable it in ccisecurity.php instead.  You cannot use HTML encryption if you use your script's own gzip buffer because the gzip buffer needs to be put into place before the encryption buffer.  cciSecurity makes sure the user can accept gzip encoding before using it, so don't worry about using ccisecurity's gzip rather than your own script's. [Possible Concerns: POST variable sanitizing] Some script systems let you or other users post HTML codes in articles, messages, signatures, etc. If your script requires that, make sure to keep the POST sterilization off, or it will convert all the < > characters into ;lt ;gt instead.  If you don't require any of that, turn it on - it should greatly reduce the chances of running into cross-site scripting problems (people stealing your users' cookies and such). [Po ssible Concerns: CPU Monitor] Ok, flat out, this is a big hack. ; It just runs uptime and snags the CPU load from the result.  It's probably smart to leave this off unless you have great faith in my competence as a programmer =) I'm absolutely unsure if this will ever help, or if it's just going to slow things down because it has to execute an external command <shrug>... ; Use at own risk! [See a way cciSecurity can be improved?] I'd love to see your mods and improvements on this script - I am by no means the penultimate expert on website security or php, and certainly not javascript (!!) so if you can improve on any aspect of the script, or want to discuss it's design or possible alterations, I encourage you to visit us at www.cafecounterintelligence.com - join the forums and fire away. ; ::: CCISecurity.php :::: <?php ############################################################################# #   ;         ;         ;         ;         ;         ;         ;   # # Cafe CounterIntelligence PHP Website Security Script 1.8   ;         ; # # Copyright 2002, 2003 Mike Parniak      ;         ;         ;         # # www.cafecounterintelligence.com ;         ;         ;         ;       # #   ;         ;         ;         ;         ;         ;         ;   # # This program is free software; you can redistribute it and/or modify      # # it under the terms of the GNU General Public License as published by     # # the Free Software Foundation; either version 2 of the License, or     ; # # (at your option) any later version.    ;         ;         ;         # #   ;         ;         ;         ;         ;         ;         ;   # # This program is distributed in the hope that it will be useful,      ;   # # but WITHOUT ANY WARRANTY; without even the implied warranty of     ;     # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the   ;       # # GNU General Public License for more details.    ;         ;         ; # #   ;         ;         ;         ;         ;         ;         ;   # # You should have received a copy of the GNU General Public License      ; # # along with this program; if not, write to the Free Software    ;         # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA   # #   ;         ;         ;         ;         ;         ;         ;   # # Usage: require_once("ccisecurity.php"); at the start of website scripts.  # #   ;         ;         ;         ;         ;         ;         ;   # ############################################################################# ################## # # Configuration Section - Set these variables first (Or use default if you want) # ################## $usehtaccessbans = 1;   # 1 = modify .htaccess to ban IPs, 0 = don't ban IPs. $filterGETvars = 1;    # 1 = sterilize HTML tags in GET variables, 0 = don't $filterCOOKIEvars = 1;   # 1 = sterilize HTML tags in COOKIE variables, 0 = don't $filterPOSTvars = 0;   # 1 = sterilize HTML tags in POST variables, 0 = don't $extraPOSTprotection = 0;  # 1 = use the extra POST protection, 0 = don't $extraGETprotection = 0;  # 1 = use the extra GET protection, 0 = don't (not recommended!) $checkmultiPOST = 1;   # 1 = only allow maxmultiPOST number of successive POSTs, 0 = don't care $maxmultiPOST = 5;    # Maximum number of POST operations in a row, if checkmultipost is on. $zipcompress = 0;    # 1 = Compress pages using GZIP library (lower bandwidth, higher CPU), 0 = don't $compresslevel = 9;    # Compression level for zipcompressing, from 1 (low) to 9 (maximum) $cpuloadmonitor = 0;   # 1 = block access if over a certain system load, 0 = don't $cpumaxload = 10.0; ;   # Maximum 5 minute system load average before blocking access $ccisessionpath = "";   # if not blank, sets a directory path to store session files. ##### Encryption/Encoding Variables $javababble = 0;    # 1 = Use Encoding/Encrypting (Must be on for any), 0 = Don't $javaencrypt = 0;    # Do actual encrypting of HTML, not just escaping (warning: may slow display) $preservehead = 0;    # 1 = Only encode/encrypt between BODY tags, 0 = encode/encrypt whole document ################## # # Check for in-script overrides # ################## if (isset($zipoverride)) { if (!isset($_REQUEST["zipoverride"])) {   $zipcompress = $zipoverride;   unset($zipoverride); } } if (isset($babbleoverride)) { if (!isset($_REQUEST["babbleoverride"])) {   $javababble = $babbleoverride;     unset($babbleoverride); &nb sp; } } ################## # # Function: CCIJavaBabble # # Usage: Takes some HTML, url-encodes it (jumbles it) then returns the javascript needed to display it properly. # ################## function CCIJavaBabble($myoutput) { global $mycrypto, $myalpha2, $javaencrypt, $preservehead; $s = $myoutput; $s = ereg_replace("\n","",$s); if ($preservehead) {   eregi("(^.+<body[^>]>)",$s,$chunks);   $outputstring = $chunks[1];   eregi_replace($headpart,"",$s);   eregi("(</body[^>]>.)",$s,$chunks);   $outputend = $chunks[1];   eregi_replace($footpart,"",$s); } else {   $outputstring = ""; ; $outputend = ""; } if ($javaencrypt) {   $s = strtr($s,$myalpha2,$mycrypto);   $s = rawurlencode($s);     $outputstring .= "<script>var cc=unescape('$s'); ";   $outputstring .= "var index = document.cookie.indexOf('" . md5($_SERVER["REMOTE_ADDR"] . $_SERVER["SERVER_ADDR"]) . "='); " .     "var aa = '$myalpha2'; " .     "if (index > -1) { " .     " index = document.cookie.indexOf('=', index) + 1; " .     " var endstr = document.cookie.indexOf(';', index); " .     " if (endstr == -1) endstr = document.cookie.length; " .     " var bb = unescape(document.cookie.substring(index, endstr)); " .     "} " .     "cc = cc.replace(/[$myalpha2]/g,function(str) { return aa.substr(bb.indexOf(str),1) }); document.write(cc);"; } else {   $outputstring .= "<script>document.write(unescape('" . rawurlencode($s) . "'));";   } $outputstring .= "</script><noscript>You must enable Javascript in order to view this webpage.</noscript>" . $outputend;       return $outputstring; } ################## # # Function: CCIClearSession # # Format: CCIClearSession() # Returns: Nothing # # Usage: Clears all the data out of the session record other than data used for this script # ################## function CCIClearSession() { $getvariables = array_keys($_SESSION); $count = 0; while($count < count($getvariables)) {   if (substr($getvariables[$count],0,7) != "ccisec-") {     session_unregister($getvariables[$count]);    &n bsp; if (ini_get('register_globals')) unset($$getvariables[$count]);   }   $count++; } } ################## # # Function: CCIBanIP # # Format: CCIBanIP(IPAddress) # Returns: Nothing # # Usage: Will open and add a deny line to the .htaccess file in the same directory to deny all # ;       accessing by a given IP address. # ################## function CCIBanIP($banip) { $filelocation = ".htaccess"; $limitend = "# End of CCI Security Section\n"; $newline = "deny from $banip\n"; if (file_exists($filelocation)) {   $mybans = file($filelocation); ; $lastline = ""; ; if (in_array($newline,$mybans)) exit();     if (in_array($limitend,$mybans)) {         $i = count($mybans)-1;       while ($mybans[$i] != $limitend) {     ; $lastline = array_pop($mybans) . $lastline;       $i--;       }     $lastline = array_pop($mybans) . $lastline;     $lastline = array_pop($mybans) . $lastline;     $lastline = array_pop($mybans) . $lastline;     array_push($mybans,$newline,$lastline);     } else {     array_push($mybans,"\n\n# CCI Security Script\n","<Limit GET POST>\n","order allow,deny\n",$newline,"allow from all\n","</Limit>;\n",$limitend); ;   } } else {   $mybans = array("# CCI Security Script\n","<Limit GET POST>\n","order allow,deny\n",$newline,"allow from all\n","</Limit>;\n",$limitend); ; } $myfile = fopen($filelocation,"w"); fwrite($myfile,implode($mybans,"")); fclose($myfile);     } ################## # # Function: CCIFloodCheck # # Format: CCIFloodCheck("identifier",interval,threshold) # Returns: 1 if requested without minimum interval, a threshold number of times.  0 if not. # # Usage: For functions that require flood control pass a unique identifier, the minimum number of # ;     seconds that should be waited between repeats of the function, and a number of times that #        function can be called too quickly before it sets off the flood trapping. # ################## function CCIFloodCheck($identifier,$interval,$threshold=1) { $myresult = 0; if (isset($_SESSION["ccisec-" . $identifier])) {   if ($_SESSION["ccisec-" . $identifier] > (time()-$interval)) {     if ($threshold<2) {     ; $myresult = 1;   ; } else {     ; if (!isset($_SESSION["ccisec-" . $identifier . "-counter"])) {     ;   $_SESSION["ccisec-" . $identifier . "-counter"] = 1;   ;   } else {     ;   $_SESSION["ccisec-" . $identifier . "-counter"]++; ;       if ($_SESSION["ccisec-" . $identifier . "-counter"] >= $threshold) {     ;     $myresult = 1;   ;     }     ; }    &nbs p; }   }   $_SESSION["ccisec-" . $identifier] = time();   } return $myresult; } ################################################################################ srand(time()); if (eregi("ccisecurity\.php",$_SERVER["SCRIPT_NAME"])) exit(); if ($ccisessionpath != "") session_save_path($ccisessionpath); session_name(md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . "CCI")); ini_set("session.use_only_cookies","1"); ini_set("session.use_trans_sid","0"); if (($zipcompress) && (eregi("gzip",$_SERVER["HTTP_ACCEPT_ENCODING"]))) { ini_set("zlib.output_compression","On");   ini_set("zlib.output_compression_level",$compresslevel); ob_start("ob_gzhandler"); } if ($javababble) { if ($javaencrypt) {   $myalpha = array_merge(range("a","z"),range("A","Z"),range("0","9")); &nb sp; $myalpha2 = implode("",$myalpha);   shuffle($myalpha);     $mycrypto = implode("",$myalpha);   setcookie(md5($_SERVER["REMOTE_ADDR"] . $_SERVER["SERVER_ADDR"]),$mycrypto); ; unset($myalpha);   } ob_start("cciJavaBabble"); } if (substr_count($_SERVER["SERVER_NAME"],".")>1) { $cookiedomain = eregi_replace("^[^\.]+\.",".",$_SERVER["SERVER_NAME"]); } else $cookiedomain = "." . $_SERVER["SERVER_NAME"]; $ip = $_SERVER["REMOTE_ADDR"]; $mykeyname = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . "CCI"); $myposthashname = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . $_SERVER["PATH"] . "CCI"); $myhash = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] .      $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] .      $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] . "X");         ; $mysession = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"]);       session_id($mysession); session_start(); # Sneaky cookie-storing flooding programs tend to trip this - a cookie not meant to be returned. if ((isset($_SESSION["ccisec-tripwire"])) && (isset($_COOKIE[$_SESSION["ccisec-tripwire"]]))) { CCIBanIP($ip); exit(); } $tripwire = md5(uniqid(time())); setcookie($tripwire,md5(uniqid(time())),time()-999999,"/",$cookiedomain); $_SESSION["ccisec-tripwire"]=$tripwire; # End of the tripwire routine if (!isset($_SESSION["ccisec-errors"])) $_SESSION["ccisec-errors"] = 0; if ($_SESSION["ccisec-errors"]>=10) { CCIBanIP($ip); exit(); } if ($_SESSION["ccisec-myhash"] != $myhash) {   $_SESSION["ccisec-myhash"] = $myhash;   $_SESSION["ccisec-errors"]++;   session_write_close(); Header("Location: http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); exit(); } if ((!isset($_COOKIE[$mykeyname])) \|\| ($_COOKIE[$mykeyname] != $myhash)) { if (!isset($_SESSION["ccisec-nocookie"])) {   $_SESSION["ccisec-nocookie"] = 1; } else {   $_SESSION["ccisec-nocookie"]++; } if (($usehtaccessbans) && ($_SESSION["ccisec-nocookie"]>;10)) CCIBanIP($ip); ; setcookie($mykeyname,$myhash,0,"/",$cookiedomain);       if ($_SESSION["ccisec-nocookie"]>;2) {   echo "<b><h1>Access Denied</h1><br><br>You must enable cookies in order t o access this website.  Please do so before returning, as continued attempts to access without cookies may result in a banning of this ip ($ip).</b>";     session_write_close(); exit(); } if ($extraGETprotection) {   $_SESSION["ccisec-hash"] = md5(uniqid(time())); ; setcookie($myposthashname,$_SESSION["ccisec-hash"],0,"/",$cookiedomain);  } CCIClearSession();  session_write_close(); Header("Location: http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); exit(); } else $_SESSION["ccisec-nocookie"] = 0; if (($usehtaccessbans) && ($_SESSION["ccisec-fastaccesses"]>40)) CCIBanIP($ip); if ($_SESSION["ccisec-fastaccesses"]>10) { if ((time()-60) < $_SESSION["ccisec-lastaccess"]) {   echo "<b><h1>Access Denied</h1><br><br>Th ere have been too many rapid requests from this IP address ($ip).  You must now wait a full 60 seconds before accessing this site again.</b>";     $_SESSION["ccisec-fastaccesses"]++;   $_SESSION["ccisec-lastaccess"]=time();     exit();   } } if (!isset($_SESSION["ccisec-lastaccess"])) { $_SESSION["ccisec-lastaccess"]=time(); } else { if ((time()-2) < $_SESSION["ccisec-lastaccess"]) {   if (!isset($_SESSION["ccisec-fastaccesses"])) $_SESSION["ccisec-fastaccesses"] = 0;   $_SESSION["ccisec-fastaccesses"]++; } else {   $_SESSION["ccisec-fastaccesses"] = 0; } $_SESSION["ccisec-lastaccess"]=time(); } if ($_SERVER["REQUEST_METHOD"] == "POST") { if ($checkmultiPOST) {   if (($_SESSION["ccisec-lastoperation"] == "POST") && ($_SESSION["ccisec-opcount"] >= $maxmultiPOST)) {     echo "<b><h1>Access Denied</h1><br><br>You may not make multiple POST operations in sequence - please return to the website and try again.</b>";     $_SESSION["ccisec-errors"]++;     exit();   } }     if ($extraPOSTprotection) {   if ((!isset($_COOKIE[$myposthashname])) \|\| ($_COOKIE[$myposthashname] != $_SESSION["ccisec-hash"])) {     echo "<b><h1>Access Denied</h1><br><br>Your browser did not send the correct security data needed to complete a POST operation. Make sure that you have cookies enabled and then try again, or contact the administration if you feel you are receiving this message in error.</b>";     &n bsp; $_SESSION["ccisec-errors"]++;     exit();     } } } else if (($extraGETprotection) && ($_SERVER["REQUEST_METHOD"] == "GET")) { if ((!isset($_COOKIE[$myposthashname])) \|\| ($_COOKIE[$myposthashname] != $_SESSION["ccisec-hash"])) {   echo "<b><h1>Access Denied</h1><br><br>Your browser did not send the correct security data needed to complete a GET operation. Make sure that you have cookies enabled and then try again, or contact the administration if you feel you are receiving this message in error.</b>";     $_SESSION["ccisec-errors"]++;     exit();   } } else if ($_SERVER["REQUEST_METHOD"] != "GET") { exit(); } if (($extraPOSTprotection) \|\| ($extraGETprotection)) { srand(time()); $_SESSION["ccisec-hash"] = md5(uniqid(time())); setcookie($myposthashname,$_SESSION["ccisec-hash"],0,"/",$cookiedomain); } if ($_SESSION["ccisec-lastoperation"] == $_SERVER["REQUEST_METHOD"]) { if (!isset($_SESSION["ccisec-opcount"])) {   $_SESSION["ccisec-opcount"] = 1; } else {   $_SESSION["ccisec-opcount"]++;   } } else $_SESSION["ccisec-lastoperation"] = $_SERVER["REQUEST_METHOD"]; # Make special characters safe in any GET based cgi variables. if ($filterGETvars) { $getvariables = array_keys($_GET);   $count = 0; while($count < count($getvariables)) {   $_GET[$getvariables[$count]] = htmlspecialchars($_GET[$getvariables[$count]]); ; if (ini_get('register_globals')) $$getvariables[$count] = $_GET[$getvariables[$count]];     $count++; } } if ($filterPOSTvars) { $getvariables = array_keys($_POST);   $count = 0; while($count < count($getvariables)) {   $_POST[$getvariables[$count]] = htmlspecialchars($_POST[$getvariables[$count]]); ;   if (ini_get('register_globals')) $$getvariables[$count] = $_POST[$getvariables[$count]];   $count++; } } if ($filterCOOKIEvars) { $getvariables = array_keys($_COOKIE); $count = 0; while($count < count($getvariables)) {   $_COOKIE[$getvariables[$count]] = htmlspecialchars($_COOKIE[$getvariables[$count]]);     if (ini_get('register_globals')) $$getvariables[$count] = $_COOKIE[$getvariables[$count]];   $count++; } } if ($cpuloadmonitor) { $myshelldata = shell_exec("uptime"); $myshelldata = eregi_replace(".average.: ","",$myshelldata);   $myshelldata = eregi_replace(", .","",$myshelldata); if ($myshelldata >= $cpumaxload) {   echo "<b><h1>Access Denied</h1><br><br>The server is currently too busy to serve your request.  We apologize for the inconvenience.</b>";   exit();   } unset($myshelldata); } unset($count); unset($getvariables); unset($ip); unset($cookiedomain); unset($mykeyname); unset($myposthashname); unset($myhash); unset($mysession); $_SESSION["ccisec-errors"] = 0; if (connection_aborted()) exit(); ?> --------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------- ::: filepipe.php ::: <?php ##### # # Warning: This script requires ccisecurity.php - get it from http://www.cafecounterintelligence.com # ##### ############################################################################# #   ;         ;   # # Cafe CounterIntelligence PHP HTTP Download Pipe Script     # # Copyright 2003, Mike Parniak      ;    # # www.cafecounterintelligence.com ;         # #     ;         ;         ;         ;         ;         ;         ; # # This program is free software; you can redistribute it and/or modify      # # it under the terms of the GNU General Public License as published by     # # the Free Software Foundation; either version 2 of the License, or     ; # # (at your option) any later version.    ;         ;         ;         # #   ;         ;         ;         ;         ;         ;         ;   # # This program is distributed in the hope that it will be useful,      ;   # # but WITHOUT ANY WARRANTY; without even the implied warranty of     ;     # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the   ;       # # GNU General Public License for more details.    ;         ;         ; # #   ;         ;         ;         ;         ;         ;         ;   # # You should have received a copy of the GNU General Public License      ; # # along with this program; if not, write to the Free Software    ;         # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA   # #   ;         ;         ;         ;         ;         ;         ;   # # Usage: place your files outside the web directory, and set $filepath to # #       hold the full filepath to that directory. Then call filepipe.php # # ;     with the fn parameter equal to the filename of the file to  # # ;     download.  ie filepipe.php?fn=myfile.zip ;    # # ;         ;         ;         ;         ;         ;         ;       # ############################################################################# # You must set these variables correctly for this script to work: $filepath = "/home/cci/files/";  # full path to directory holding files (must end in /) $mininterval = 5;     # minimum number of seconds between downloads $allowdirect = 1;     # 0 = Disallow direct linking, 1 = allow it (manual navigation) $allowoutside = 0;     # 0 = Disallow linking from other sites, 1 = allow it ################################################################# # Check for and prevent deep linking to our files, using the Referer header. if ((!isset($_SERVER["HTTP_REFERER"])) && (!$allowdirect)) { Header("Location: http://" . $_SERVER["HTTP_HOST"]); exit(); } if (!$allowoutside) { if ((isset($_SERVER["HTTP_REFERER"])) && (!eregi("http://" . $_SERVER["HTTP_HOST"] . ".+$",$_SERVER["HTTP_REFERER"]))) {   Header("Location: http://" . $_SERVER["HTTP_HOST"]);   exit();   } } # Call ccisecurity.php for basic flood control functions $zipoverride = 0; $babbleoverride = 0; require_once("ccisecurity.php");< /DIV> # If no filename is specified, send them to the main page. if (!isset($_GET["fn"])) { Header("Location: http://" . $_SERVER["HTTP_HOST"]); exit(); }  # Prevent rapid downloading based on user set minimum time interval: if (CCIFloodCheck("filepipe-check",$mininterval)) { # Keep track of the number of times they attempt to download too quickly. if (!isset($_SESSION["filepipe-toofast"])) {   $_SESSION["filepipe-toofast"] = 1; } else {   $_SESSION["filepipe-toofast"]++; } # If they push their luck and try to download too fast more than 20 times, ban them using .htaccess if ($_SESSION["filepipe-toofast"]>20) {   CCIBanIP($_SERVER["REMOTE_ADDR"]);   exit();   } echo "<head>"; ; echo "&l t;META HTTP-EQUIV=\"Refresh\" CONTENT=\"" . ($mininterval + 1) . "\"; URL=\"http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"] . "\">"; echo "<title>Download Delay</title></head><body>;"; echo "<b><h1>Download Delayed<;/h1><;br><br>The administrator requires a minimum of $mininterval seconds between downloads by a given user. ; Your download will begin in $mininterval seconds (starting now) - please wait...<;/b>";   echo "</body>"; ; session_write_close(); exit(); } # Filter out any backward directory change elements (from people who think they're tricky) : $filename = $_GET["fn"]; $filename = ereg_replace("\.+/", "", $filename); $filename = ereg_replace("\.\.","",$filename); $filename = ereg_replace("^[\/]+", "", $filename); $filename = ereg_replace("^[A-Za-z][:\\|][\/]?", "", $filename); # Make sure the file actually exists in our specified file folder: if ((!file_exists($filepath . $filename)) \|\| (!is_file($filepath . $filename))) { if (!isset($_SESSION["filepipe-notfound"])) {   $_SESSION["filepipe-notfound"] = 1; } else {   $_SESSION["filepipe-notfound"]++; } if ($_SESSION["filepipe-notfound"]>10) {   CCIBanIP($_SERVER["REMOTE_ADDR"]);   exit();   } echo "<b><h1>Access Denied</h1><br><br>You attempted to download a file does not exist.  To prevent brute-force scouting of files, continued attempts to download files that do not exist may result in the banning of your IP. Please check the URL and try again.</b>";   exit(); } $justfilename = ereg_replace(".+/","",$filename); if(strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE')){ header('Cache-Control: public'); } # Got this from some site - seems IE5.5 needs to be coddled like a fucking baby if(preg_match("/MSIE 5.5/", $_SERVER["HTTP_USER_AGENT"])) { header("Content-Disposition: filename=$justfilename"); } else { header("Content-Disposition: attachment; filename=$justfilename"); } # Am using application/unknown at the suggestion of Kazz (Chris).  Seems to work well. header("Content-Type: application/unknown"); Header("Content-Length: " . filesize($filepath . $filename)); if($fp = fopen($filepath . $filename, "rb")) { fpassthru($fp); } ?> --------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------- this one is a totally separeate drop in. ::: soapsecurity.php ::: <?php ############################################################################# # # Cafe CounterIntelligence SoapCMS Core Security Class # Copyright 2004 Mike Parniak # www.cafecounterintelligence.com # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public Li cense for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Purpose: Base flood, XSS and SQL Injection protection # # Requires: Nothing. # # Usage: create an instance of the soapSecurity object at the beginning of # any publically accessible scripts. GET, POST, and COOKIE variables # that are strictly numeric should begin with "n_". # ############################################################################# class soapSecurity { var $ip; var $csUn = "Soap"; var $vkeyname; var $vhash; var $vsession; var $vsesscook; // Initialization function function soapSecurity($dosanitize = 1) { ini_set("session.use_only_cookies","1"); ini_set("session.use_trans_sid","0"); $ip = $_SERVER["REMOTE_ADDR"]; $vkeyname = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $csUn); $vhash = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] . $csUn); $vsession = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . $csUn); $vsesscook = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["HTTP_HOST"]); srand(time()); session_name($vhash); session_id($vsession); // Begin data-specific session session_start(); if ((!isset($_SESSION["soapsec-rtg"])) \|\| ($_SESSION["soapsec-rtg"]<1)) { $_SESSION["soapsec-rtg"] = rand(3,5); $_SESSION["soapsec-romps"] = 0; $_SESSION["soapsec-ourl"] = $_SERVER["REQUEST_URI"]; $_SESSION["soapsec-rcode"] = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTT P_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] . $_SESSION["soapsec-romps"] . time()); } if (($_SESSION["soapsec-rtg"]>0) && ($_SESSION["soapsec-romps"]<$_SESSION["soapsec-rtg"])) { if (($_GET[$vkeyname] == $_SESSION["soapsec-rcode"]) && ($_GET[$vkeyname] != "")) { $_SESSION["soapsec-romps"]++; } else $_SESSION["soapsec-errors"]+=2; if ($_SESSION["soapsec-romps"] < $_SESSION["soapsec-rtg"]) { $_SESSION["soapsec-rcode"] = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] . $_SESSION["soapsec-romps"] . time()); $numromps = $_SESSION["soapsec-romps"]; session_write_close(); $thisurl = $_SERVER["REQUEST_URI"]; $thisurl = eregi_replace("\?.","",$thisurl); $thisurl = "http://" . $_SERVER["HTTP_HOST"] . $thisurl . "?"; $outkey = $vke yname . "=" . $_SESSION["soapsec-rcode"]; // First romp is less CPU intensive, in cases of weak automated requesters. if ($numromps==1) { header("Location: " . $thisurl . $outkey); exit(); } // Subsequent romps are tricky, using hard-to-parse javascript. $rnu = rand(8,15); $ran = array(); $jsout = "<SCRIPT LANGUAGE=\"JavaScript\">\n"; for ($i = 0;$i < $rnu;$i++) { $ran[$i] = rand(-65,65); $jsout .= "var " . chr(97+$i) . " = " . $ran[$i] . "; "; } $outlen = strlen($outkey); $jsout .= "var z = new Array(); "; $myvars = array(); $onvar = 0; for ($i = 0;$i < $outlen;$i++) { if ($onvar >= $rnu) $onvar = 0; $thediff = $i - $ran[$onvar]; $myvars[$i] = "z[" . chr(97+$onvar); if ($thediff>0) $myvars[$i].= "+"; if ($thediff<>0) $myvars[$i] .= $thediff; $myvars[$i] .= "] = \"" . $outkey[$i] . "\"; "; $onvar++; } shuffle($myvars); $jsout .= implode('',$myvars); $jsout .= "var x = z.join(\"\"); "; $jsout .= "location.replace(\"" . $thisurl . "\" + x);</SCRIPT><noscript>You must enable Javascript in order to view this webpage.</noscript>"; echo $jsout; } else { $thisurl = "http://" . $_SERVER["HTTP_HOST"] . $_SESSION["soapsec-ourl"]; echo "<SCRIPT LANGUAGE=\"JavaScript\">location.replace(\"$thisurl\");</SCRIPT><noscrip t>You must enable Javascript in order to view this webpage.</noscript>"; } exit(); } if ($dosanitize) { $getvariables = array_keys($_GET); $count = 0; while($count < count($getvariables)) { $_GET[$getvariables[$count]] = $this -> sanitize($_GET[$getvariables[$count]],(strpos($getvariables[$count],"n_")===0) ); $count++; } $getvariables = array_keys($_POST); $count = 0; while($count < count($getvariab les)) { $_POST[$getvariables[$count]] = $this -> sanitize($_POST[$getvariables[$count]],(strpos($getvariables[$count],"n_")===0 )); $count++; } $getvariables = array_keys($_COOKIE); $count = 0; while($count < count($getvariables)) { $_COOKIE[$getvariables[$count]] = $this -> sanitize($_COOKIE[$getvariables[$count]],(strpos($getvariables[$count],"n_")===0)); $count++; } } // If server has automatic global creation, destroy automatically created variables. // but... make sure that the variable's value matches the request variable's value before destroying it. $getvariables = array_keys($_REQUEST); $count = 0; while($count < count($getvariables)) { if ((isset($getvariables[$count])) && ($GLOBALS[$getvariables[$count]] == $_REQUEST[$getvariables[$count]])) { unset($GLOBALS[$getvariables[$count]]); } $count++; } // Remove our session and initiate or restore the user session. if (isset($_COOKIE["$vsesscook"])) { session_write_close(); session_name($vsesscook); session_id($_COOKIE["$vsesscook"]); session_start(); if (!isset($_SESSION["soap-flag"])) { setcookie($vsesscook,"",0,"/"); session_unset(); session_destroy(); unset($_COOKIE["$vsesscook"]); Header("Location: http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); exit(); } } else { if ((time()-120)<$_SESSION["soapsec-lastsess"]) { if ($_SESSION["soapsec-fastsess"]>2) { $_SESSION["soapsec-lastsess"] = time(); exit(); } } else $_SESSION["soapsec-fastsess"] = 0; $_SESSION["soapsec-lastsess"] = time(); $_SESSION["soapsec-fastsess"]++; session_write_close; session_name($vsesscook); session_id(md5(uniqid(time()))); session_start(); setcookie($vsesscook,session_id(),0,"/"); $_SESSION["soap-flag"] = 1; } if ($this -> floodcheck("fastaccess",3,6)) exit(); return; } // Removes potentially hazardous material from a string (anti-XSS, anti-Injection) // Reliable anti-injection requires cgi variables use the n_ naming convention for any // variable that is strictly numeric and possibly used in a query. function sanitize($tosanitize,$numonly=FALSE) { if ($numonly) { $tosanitize = eregi_replace("[^0-9\.\-]","",$tosanitize); } else { $tosanitize = htmlspecialchars($tosanitize); $tosanitize = eregi_replace("javascript:","javascript:",$tosanitize); if (!get_magic_quotes_gpc()) $tosanitize = addslashes($tosanitize); } return $tosanitize; } // Generic flood checking routine function floodcheck($identifier,$interval,$threshold=1) { $myresult = 0; if (isset($_SESSION["soapsec-" . $identifier])) { if ($_SESSION["soapsec-" . $identifier] > (time()-$interval)) { if ($threshold<2) { $myresult = 1; } else { if (!isset($_SESSION["soapsec-" . $identifier . "-counter"])) { $_SESSION["soapsec-" . $identifier . "-counter"] = 1; } else { $_SESSION["soapsec-" . $identifier . "-counter"]++; if ($_SESSION["soapsec-" . $identifier . "-counter"] >= $threshold) { $myresult = 1; } } } } else $_SESSION["soapsec-" . $identifier . "-counter"] = 1; } $_SESSION["soapsec-" . $identifier] = time(); return $myresult; } } ?> Beshoo <basheermorogmail.com>* wrote: Hi !!!!!! I have some weak points in security side /php/ !!!so I want to IMPROVE my skils in php security . !!!! , pleeeeez if you hav e any resrces or any for example ebook or any thing could help me plaaaaaaaaz tell me, and thanx soo much 4 ur help!!!! thanx in advance Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "PHP-Masters" group. To post to this group, send email to PHP-Mastersgooglegroups.com To unsubscribe from this group, send email to PHP-Masters-unsubscribegooglegroups.com For more options, visit this group at http://groups.google.com/group/PHP-Masters -~----------~----~----~----~------~----~------~--~---
php security
	2006-03-08 13:17:34

ccisecurity.php and filepipe.php are used together ... ccisecurity.php can be used alone but filepipe.php MUST be used and ran through ccisecurity.php the last one soapsecurity.php is a stand alone. all are drops ins that should work with any php page or site with little to no changes neeeded (except in the n_ numeric only variable structure required for sanitization of data in soapsecurity.php) read the text for more info. these are the very best and most comnprehensive security scripts i have ever seen or heard of and are at the core of every php application i develope (with some minor changes as needed hehehe). Kudos to mike parniak of http://voodoochat.com and http://cafecounterintelligence.com for h is expertice and benevolence making these ; GPL Open Source scripts enjoy ! [What is the CCI Website Security Script?] The CCI Website Security Script is a drop-in PHP script designed to take on the burdon of dealing with certain common security problems in PHP scripts.  It is made to be added to an existing script to provide immediate, transparent security of varying types. Far, far too often you hear about free scripts having some common vulnerability that has been seen a thousand times in other scripts - people just aren't careful enough when writing scripts.  This script is desiged to try to compensate for some of this carelessness. [What can the CCI Website Security Script defend against?] HTTP REQUEST FLOODS This was the type of problem that the script was originally designed to deal with. ; Programs can be created to flood your website with GET or POST requests in order to bog down the CPU, generate thousands of emails, fill up databases, or whatever.  Very few scripts are set up to deal with this type of attack, and commercial webhosts are prone to discontinuing your account if you are the victim of one (it's their machines that get bogged down).  This script helps protect against this type of attack. SCRIPT DISPLAY VULNERABILITIES By far the most common vulnerability in PHP scripts.  Users find a cgi variable that will be displayed verbatim, and pass through some HTML code (generally some javascript code) that will send a user's cookies or what-not, to their webserver. They use this information to steal their login or worse.  The CCI script has the ability to "sanitize" all GET, POST, and COOKIE data to convert the < > characters to their displayable but non-executable version s. This generally negates the danger of this type of vulnerability. GENERAL FLOOD PROTECTION An additional ability of this script is that you can call it from within your own script to perform time-based checking for flooding of a particular function.  This means you pass it a unique identifier, such as "messageposts" and a time value, such as 60 seconds... and optionally a threshold number (default 1), and the function will return TRUE if it has been called more than <threshold> times by the same user, without the time value number of seconds between the calls.  A very handy feature for script developers. IP BANNING VIA .HTACCESS As an option (that defaults to on) this script can modify your .htaccess file to ban the IPs of users who are abusing your scripts.  This will drastically reduce CPU load due to their attempts, and prevent them from further trying to abuse your system.  You c an call this IP Banning function from your own scripts as well, if you wish to ban certain IPs. For this to work, the script must have write access to your .htaccess file (if one exists). HTML Source Viewing/Stealing The script can automatically wrap pages in a javascript function which either uses the commonly used "escape" obfuscating technique, or cciSecurity's own encryption method which makes it impossible to get the actual source just using the document data. ; It stores the key to the encryption in a cookie, which changes with each request - so unless a user captures the cookie data at the same time as the document, they cannot decrypt it properly after the fact! ; [How do I use this script?] The script is simple to use. Simply add the following line to the very top of your scripts.  For scripts that involve multiple .PHP files, you need only add it to the top of any file that all yo ur files include, though using the require_once function dismisses the danger of adding it to the top of ALL files: require_once("ccisecurity.php"); You may wish to open ccisecurity.php and alter the configuration variables at the top. The default values should work for most systems, though if you wish to tweak the values for your system, it is a good idea to do so before you begin using it. [Configuring cciSecurity] There are a set of variables at the top of cciSecurity.php that you should look over and tweak to your liking.  Any of the options that are more CPU intensive, or might cause problems with some scripts, have been disabled by default.  Trial and error will let you figure out which options are best for your site/script. [Possible Concerns: GZIP encoding / HTML encryption] If you want to use either of these options in conjunction with ccisecurity.php, you need t o make sure your script does not already use gzip encoding.  If it does TURN IT OFF IN YOUR SCRIPT and enable it in ccisecurity.php instead.  You cannot use HTML encryption if you use your script's own gzip buffer because the gzip buffer needs to be put into place before the encryption buffer.  cciSecurity makes sure the user can accept gzip encoding before using it, so don't worry about using ccisecurity's gzip rather than your own script's. [Possible Concerns: POST variable sanitizing] Some script systems let you or other users post HTML codes in articles, messages, signatures, etc. If your script requires that, make sure to keep the POST sterilization off, or it will convert all the < > characters into ;lt ;gt instead.  If you don't require any of that, turn it on - it should greatly reduce the chances of running into cross-site scripting problems (people stealing your users' cookies and such). [Po ssible Concerns: CPU Monitor] Ok, flat out, this is a big hack. ; It just runs uptime and snags the CPU load from the result.  It's probably smart to leave this off unless you have great faith in my competence as a programmer =) I'm absolutely unsure if this will ever help, or if it's just going to slow things down because it has to execute an external command <shrug>... ; Use at own risk! [See a way cciSecurity can be improved?] I'd love to see your mods and improvements on this script - I am by no means the penultimate expert on website security or php, and certainly not javascript (!!) so if you can improve on any aspect of the script, or want to discuss it's design or possible alterations, I encourage you to visit us at www.cafecounterintelligence.com - join the forums and fire away. ; ::: CCISecurity.php ::: : <?php ############################################################################# #   ;         ;         ;         ;         ;         ;         ;   # # Cafe CounterIntelligence PHP Website Security Script 1.8   ;         ; # # Copyright 2002, 2003 Mike Parniak      ;         ;         ;         # # www.cafecounterintelligence.com ;         ;         ;         ;       # #   ;         ;         ;         ;         ;         ;         ;   # # This program is free software; you can redistribute it and/or modify      # # it under the terms of the GNU General Public License as published by     # # the Free Software Foundation; either version 2 of the License, or     ; # # (at your option) any later version.    ;         ;         ;         # #   ;         ;         ;         ;         ;         ;         ;   # # This program is distributed in the hope that it will be useful,      ;   # # but WITHOUT ANY WARRANTY; without even the implied warranty of     ;     # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the   ;       # # GNU General Public License for more details.    ;         ;         ; # #   ;         ;         ;         ;         ;         ;         ;   # # You should have received a copy of the GNU General Public License      ; # # along with this program; if not, write to the Free Software    ;         # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA   # #   ;         ;         ;         ;         ;         ;         ;   # # Usage: require_once("ccisecurity.php"); at the start of website scripts.  # #   ;         ;         ;         ;         ;         ;         ;   # ############################################################################# ################## # # Configuration Section - Set these variables first (Or use default if you want) # ################## $usehtaccessbans = 1;   # 1 = modify .htaccess to ban IPs, 0 = don't ban IPs. $filterGETvars = 1;    # 1 = sterilize HTML tags in GET variables, 0 = don't $filterCOOKIEvars = 1;   # 1 = sterilize HTML tags in COOKIE variables, 0 = don't $filterPOSTvars = 0;   # 1 = sterilize HTML tags in POST variables, 0 = don't $extraPOSTprotection = 0;  # 1 = use the extra POST protection, 0 = don't $extraGETprotection = 0;  # 1 = use the extra GET protection, 0 = don't (not recommended!) $checkmultiPOST = 1;   # 1 = only allow maxmultiPOST number of successive POSTs, 0 = don't care $maxmultiPOST = 5;    # Maximum number of POST operations in a row, if checkmultipost is on. $zipcompress = 0;    # 1 = Compress pages using GZIP library (lower bandwidth, higher CPU), 0 = don't $compresslevel = 9;    # Compression level for zipcompressing, from 1 (low) to 9 (maximum) $cpuloadmonitor = 0;   # 1 = block access if over a certain system load, 0 = don't $cpumaxload = 10.0; ;   # Maximum 5 minute system load average before blocking access $ccisessionpath = "";   # if not blank, sets a directory path to store session files. ##### Encryption/Encoding Variables $javababble = 0;    # 1 = Use Encoding/Encrypting (Must be on for any), 0 = Don't $javaencrypt = 0;    # Do actual encrypting of HTML, not just escaping (warning: may slow display) $preservehead = 0;    # 1 = Only encode/encrypt between BODY tags, 0 = encode/encrypt whole document ################## # # Check for in-script overrides # ################## if (isset($zipoverride)) { if (!isset($_REQUEST["zipoverride"])) {   $zipcompress = $zipoverride;   unset($zipoverride); } } if (isset($babbleoverride)) { if (!isset($_REQUEST["babbleoverride"])) {   $javababble = $babbleoverride;     unset($babbleoverride); &nb sp; } } ################## # # Function: CCIJavaBabble # # Usage: Takes some HTML, url-encodes it (jumbles it) then returns the javascript needed to display it properly. # ################## function CCIJavaBabble($myoutput) { global $mycrypto, $myalpha2, $javaencrypt, $preservehead; $s = $myoutput; $s = ereg_replace("\n","",$s); if ($preservehead) {   eregi("(^.+<body[^>]>)",$s,$chunks);   $outputstring = $chunks[1];   eregi_replace($headpart,"",$s);   eregi("(</body[^>]>.)",$s,$chunks);   $outputend = $chunks[1];   eregi_replace($footpart,"",$s); } else {   $outputstring = ""; ; $outputend = ""; } if ($javaencrypt) {   $s = strtr($s,$myalpha2,$mycrypto);   $s = rawurlencode($s);     $outputstring .= "<script>var cc=unescape('$s'); ";   $outputstring .= "var index = document.cookie.indexOf('" . md5($_SERVER["REMOTE_ADDR"] . $_SERVER["SERVER_ADDR"]) . "='); " .     "var aa = '$myalpha2'; " .     "if (index > -1) { " .     " index = document.cookie.indexOf('=', index) + 1; " .     " var endstr = document.cookie.indexOf(';', index); " .     " if (endstr == -1) endstr = document.cookie.length; " .     " var bb = unescape(document.cookie.substring(index, endstr)); " .     "} " .     "cc = cc.replace(/[$myalpha2]/g,function(str) { return aa.substr(bb.indexOf(str),1) }); document.write(cc);"; } else {   $outputstring .= "<script>document.write(unescape('" . rawurlencode($s) . "'));";   } $outputstring .= "</script><noscript>You must enable Javascript in order to view this webpage.</noscript>" . $outputend;       return $outputstring; } ################## # # Function: CCIClearSession # # Format: CCIClearSession() # Returns: Nothing # # Usage: Clears all the data out of the session record other than data used for this script # ################## function CCIClearSession() { $getvariables = array_keys($_SESSION); $count = 0; while($count < count($getvariables)) {   if (substr($getvariables[$count],0,7) != "ccisec-") {     session_unregister($getvariables[$count]);    &n bsp; if (ini_get('register_globals')) unset($$getvariables[$count]);   }   $count++; } } ################## # # Function: CCIBanIP # # Format: CCIBanIP(IPAddress) # Returns: Nothing # # Usage: Will open and add a deny line to the .htaccess file in the same directory to deny all # ;       accessing by a given IP address. # ################## function CCIBanIP($banip) { $filelocation = ".htaccess"; $limitend = "# End of CCI Security Section\n"; $newline = "deny from $banip\n"; if (file_exists($filelocation)) {   $mybans = file($filelocation); ; $lastline = ""; ; if (in_array($newline,$mybans)) exit();     if (in_array($limitend,$mybans)) {         $i = count($mybans)-1;       while ($mybans[$i] != $limitend) {     ; $lastline = array_pop($mybans) . $lastline;       $i--;       }     $lastline = array_pop($mybans) . $lastline;     $lastline = array_pop($mybans) . $lastline;     $lastline = array_pop($mybans) . $lastline;     array_push($mybans,$newline,$lastline);     } else {     array_push($mybans,"\n\n# CCI Security Script\n","<Limit GET POST>\n","order allow,deny\n",$newline,"allow from all\n","</Limit>;\n",$limitend); ;   } } else {   $mybans = array("# CCI Security Script\n","<Limit GET POST>\n","order allow,deny\n",$newline,"allow from all\n","</Limit>;\n",$limitend); ; } $myfile = fopen($filelocation,"w"); fwrite($myfile,implode($mybans,"")); fclose($myfile);     } ################## # # Function: CCIFloodCheck # # Format: CCIFloodCheck("identifier",interval,threshold) # Returns: 1 if requested without minimum interval, a threshold number of times.  0 if not. # # Usage: For functions that require flood control pass a unique identifier, the minimum number of # ;     seconds that should be waited between repeats of the function, and a number of times that #        function can be called too quickly before it sets off the flood trapping. # ################## function CCIFloodCheck($identifier,$interval,$threshold=1) { $myresult = 0; if (isset($_SESSION["ccisec-" . $identifier])) {   if ($_SESSION["ccisec-" . $identifier] > (time()-$interval)) {     if ($threshold<2) {     ; $myresult = 1;   ; } else {     ; if (!isset($_SESSION["ccisec-" . $identifier . "-counter"])) {     ;   $_SESSION["ccisec-" . $identifier . "-counter"] = 1;   ;   } else {     ;   $_SESSION["ccisec-" . $identifier . "-counter"]++; ;       if ($_SESSION["ccisec-" . $identifier . "-counter"] >= $threshold) {     ;     $myresult = 1;   ;     }     ; }    &nbs p; }   }   $_SESSION["ccisec-" . $identifier] = time();   } return $myresult; } ################################################################################ srand(time()); if (eregi("ccisecurity\.php",$_SERVER["SCRIPT_NAME"])) exit(); if ($ccisessionpath != "") session_save_path($ccisessionpath); session_name(md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . "CCI")); ini_set("session.use_only_cookies","1"); ini_set("session.use_trans_sid","0"); if (($zipcompress) && (eregi("gzip",$_SERVER["HTTP_ACCEPT_ENCODING"]))) { ini_set("zlib.output_compression","On");   ini_set("zlib.output_compression_level",$compresslevel); ob_start("ob_gzhandler"); } if ($javababble) { if ($javaencrypt) {   $myalpha = array_merge(range("a","z"),range("A","Z"),range("0","9")); &nb sp; $myalpha2 = implode("",$myalpha);   shuffle($myalpha);     $mycrypto = implode("",$myalpha);   setcookie(md5($_SERVER["REMOTE_ADDR"] . $_SERVER["SERVER_ADDR"]),$mycrypto); ; unset($myalpha);   } ob_start("cciJavaBabble"); } if (substr_count($_SERVER["SERVER_NAME"],".")>1) { $cookiedomain = eregi_replace("^[^\.]+\.",".",$_SERVER["SERVER_NAME"]); } else $cookiedomain = "." . $_SERVER["SERVER_NAME"]; $ip = $_SERVER["REMOTE_ADDR"]; $mykeyname = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . "CCI"); $myposthashname = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . $_SERVER["PATH"] . "CCI"); $myhash = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] .      $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] .      $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] . "X");         ; $mysession = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"]);       session_id($mysession); session_start(); # Sneaky cookie-storing flooding programs tend to trip this - a cookie not meant to be returned. if ((isset($_SESSION["ccisec-tripwire"])) && (isset($_COOKIE[$_SESSION["ccisec-tripwire"]]))) { CCIBanIP($ip); exit(); } $tripwire = md5(uniqid(time())); setcookie($tripwire,md5(uniqid(time())),time()-999999,"/",$cookiedomain); $_SESSION["ccisec-tripwire"]=$tripwire; # End of the tripwire routine if (!isset($_SESSION["ccisec-errors"])) $_SESSION["ccisec-errors"] = 0; if ($_SESSION["ccisec-errors"]>=10) { CCIBanIP($ip); exit(); } if ($_SESSION["ccisec-myhash"] != $myhash) {   $_SESSION["ccisec-myhash"] = $myhash;   $_SESSION["ccisec-errors"]++;   session_write_close(); Header("Location: http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); exit(); } if ((!isset($_COOKIE[$mykeyname])) \|\| ($_COOKIE[$mykeyname] != $myhash)) { if (!isset($_SESSION["ccisec-nocookie"])) {   $_SESSION["ccisec-nocookie"] = 1; } else {   $_SESSION["ccisec-nocookie"]++; } if (($usehtaccessbans) && ($_SESSION["ccisec-nocookie"]>;10)) CCIBanIP($ip); ; setcookie($mykeyname,$myhash,0,"/",$cookiedomain);       if ($_SESSION["ccisec-nocookie"]>;2) {   echo "<b><h1>Access Denied</h1><br><br>You must enable cookies in order t o access this website.  Please do so before returning, as continued attempts to access without cookies may result in a banning of this ip ($ip).</b>";     session_write_close(); exit(); } if ($extraGETprotection) {   $_SESSION["ccisec-hash"] = md5(uniqid(time())); ; setcookie($myposthashname,$_SESSION["ccisec-hash"],0,"/",$cookiedomain);  } CCIClearSession();  session_write_close(); Header("Location: http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); exit(); } else $_SESSION["ccisec-nocookie"] = 0; if (($usehtaccessbans) && ($_SESSION["ccisec-fastaccesses"]>40)) CCIBanIP($ip); if ($_SESSION["ccisec-fastaccesses"]>10) { if ((time()-60) < $_SESSION["ccisec-lastaccess"]) {   echo "<b><h1>Access Denied</h1><br><br>Th ere have been too many rapid requests from this IP address ($ip).  You must now wait a full 60 seconds before accessing this site again.</b>";     $_SESSION["ccisec-fastaccesses"]++;   $_SESSION["ccisec-lastaccess"]=time();     exit();   } } if (!isset($_SESSION["ccisec-lastaccess"])) { $_SESSION["ccisec-lastaccess"]=time(); } else { if ((time()-2) < $_SESSION["ccisec-lastaccess"]) {   if (!isset($_SESSION["ccisec-fastaccesses"])) $_SESSION["ccisec-fastaccesses"] = 0;   $_SESSION["ccisec-fastaccesses"]++; } else {   $_SESSION["ccisec-fastaccesses"] = 0; } $_SESSION["ccisec-lastaccess"]=time(); } if ($_SERVER["REQUEST_METHOD"] == "POST") { if ($checkmultiPOST) {   if (($_SESSION["ccisec-lastoperation"] == "POST") && ($_SESSION["ccisec-opcount"] >= $maxmultiPOST)) {     echo "<b><h1>Access Denied</h1><br><br>You may not make multiple POST operations in sequence - please return to the website and try again.</b>";     $_SESSION["ccisec-errors"]++;     exit();   } }     if ($extraPOSTprotection) {   if ((!isset($_COOKIE[$myposthashname])) \|\| ($_COOKIE[$myposthashname] != $_SESSION["ccisec-hash"])) {     echo "<b><h1>Access Denied</h1><br><br>Your browser did not send the correct security data needed to complete a POST operation. Make sure that you have cookies enabled and then try again, or contact the administration if you feel you are receiving this message in error.</b>";     &n bsp; $_SESSION["ccisec-errors"]++;     exit();     } } } else if (($extraGETprotection) && ($_SERVER["REQUEST_METHOD"] == "GET")) { if ((!isset($_COOKIE[$myposthashname])) \|\| ($_COOKIE[$myposthashname] != $_SESSION["ccisec-hash"])) {   echo "<b><h1>Access Denied</h1><br><br>Your browser did not send the correct security data needed to complete a GET operation. Make sure that you have cookies enabled and then try again, or contact the administration if you feel you are receiving this message in error.</b>";     $_SESSION["ccisec-errors"]++;     exit();   } } else if ($_SERVER["REQUEST_METHOD"] != "GET") { exit(); } if (($extraPOSTprotection) \|\| ($extraGETprotection)) { srand(time()); $_SESSION["ccisec-hash"] = md5(uniqid(time())); setcookie($myposthashname,$_SESSION["ccisec-hash"],0,"/",$cookiedomain); } if ($_SESSION["ccisec-lastoperation"] == $_SERVER["REQUEST_METHOD"]) { if (!isset($_SESSION["ccisec-opcount"])) {   $_SESSION["ccisec-opcount"] = 1; } else {   $_SESSION["ccisec-opcount"]++;   } } else $_SESSION["ccisec-lastoperation"] = $_SERVER["REQUEST_METHOD"]; # Make special characters safe in any GET based cgi variables. if ($filterGETvars) { $getvariables = array_keys($_GET);   $count = 0; while($count < count($getvariables)) {   $_GET[$getvariables[$count]] = htmlspecialchars($_GET[$getvariables[$count]]); ; if (ini_get('register_globals')) $$getvariables[$count] = $_GET[$getvariables[$count]];     $count++; } } if ($filterPOSTvars) { $getvariables = array_keys($_POST);   $count = 0; while($count < count($getvariables)) {   $_POST[$getvariables[$count]] = htmlspecialchars($_POST[$getvariables[$count]]); ;   if (ini_get('register_globals')) $$getvariables[$count] = $_POST[$getvariables[$count]];   $count++; } } if ($filterCOOKIEvars) { $getvariables = array_keys($_COOKIE); $count = 0; while($count < count($getvariables)) {   $_COOKIE[$getvariables[$count]] = htmlspecialchars($_COOKIE[$getvariables[$count]]);     if (ini_get('register_globals')) $$getvariables[$count] = $_COOKIE[$getvariables[$count]];   $count++; } } if ($cpuloadmonitor) { $myshelldata = shell_exec("uptime"); $myshelldata = eregi_replace(".average.: ","",$myshelldata);   $myshelldata = eregi_replace(", .","",$myshelldata); if ($myshelldata >= $cpumaxload) {   echo "<b><h1>Access Denied</h1><br><br>The server is currently too busy to serve your request.  We apologize for the inconvenience.</b>";   exit();   } unset($myshelldata); } unset($count); unset($getvariables); unset($ip); unset($cookiedomain); unset($mykeyname); unset($myposthashname); unset($myhash); unset($mysession); $_SESSION["ccisec-errors"] = 0; if (connection_aborted()) exit(); ?> --------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------- ::: filepipe.php ::: <?php ##### # # Warning: This script requires ccisecurity.php - get it from http://www.cafecounterintelligence.com # ##### ############################################################################# #   ;         ;   # # Cafe CounterIntelligence PHP HTTP Download Pipe Script     # # Copyright 2003, Mike Parniak      ;    # # www.cafecounterintelligence.com ;         # #     ;         ;         ;         ;         ;         ;         ; # # This program is free software; you can redistribute it and/or modify      # # it under the terms of the GNU General Public License as published by     # # the Free Software Foundation; either version 2 of the License, or     ; # # (at your option) any later version.    ;         ;         ;         # #   ;         ;         ;         ;         ;         ;         ;   # # This program is distributed in the hope that it will be useful,      ;   # # but WITHOUT ANY WARRANTY; without even the implied warranty of     ;     # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the   ;       # # GNU General Public License for more details.    ;         ;         ; # #   ;         ;         ;         ;         ;         ;         ;   # # You should have received a copy of the GNU General Public License      ; # # along with this program; if not, write to the Free Software    ;         # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA   # #   ;         ;         ;         ;         ;         ;         ;   # # Usage: place your files outside the web directory, and set $filepath to # #       hold the full filepath to that directory. Then call filepipe.php # # ;     with the fn parameter equal to the filename of the file to  # # ;     download.  ie filepipe.php?fn=myfile.zip ;    # # ;         ;         ;         ;         ;         ;         ;       # ############################################################################# # You must set these variables correctly for this script to work: $filepath = "/home/cci/files/";  # full path to directory holding files (must end in /) $mininterval = 5;     # minimum number of seconds between downloads $allowdirect = 1;     # 0 = Disallow direct linking, 1 = allow it (manual navigation) $allowoutside = 0;     # 0 = Disallow linking from other sites, 1 = allow it ################################################################# # Check for and prevent deep linking to our files, using the Referer header. if ((!isset($_SERVER["HTTP_REFERER"])) && (!$allowdirect)) { Header("Location: http://" . $_SERVER["HTTP_HOST"]); exit(); } if (!$allowoutside) { if ((isset($_SERVER["HTTP_REFERER"])) && (!eregi("http://" . $_SERVER["HTTP_HOST"] . ".+$",$_SERVER["HTTP_REFERER"]))) {   Header("Location: http://" . $_SERVER["HTTP_HOST"]);   exit();   } } # Call ccisecurity.php for basic flood control functions $zipoverride = 0; $babbleoverride = 0; require_once("ccisecurity.php");< /div> # If no filename is specified, send them to the main page. if (!isset($_GET["fn"])) { Header("Location: http://" . $_SERVER["HTTP_HOST"]); exit(); }  # Prevent rapid downloading based on user set minimum time interval: if (CCIFloodCheck("filepipe-check",$mininterval)) { # Keep track of the number of times they attempt to download too quickly. if (!isset($_SESSION["filepipe-toofast"])) {   $_SESSION["filepipe-toofast"] = 1; } else {   $_SESSION["filepipe-toofast"]++; } # If they push their luck and try to download too fast more than 20 times, ban them using .htaccess if ($_SESSION["filepipe-toofast"]>20) {   CCIBanIP($_SERVER["REMOTE_ADDR"]);   exit();   } echo "<head>"; ; echo "&l t;META HTTP-EQUIV=\"Refresh\" CONTENT=\"" . ($mininterval + 1) . "\"; URL=\"http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"] . "\">"; echo "<title>Download Delay</title></head><body>;"; echo "<b><h1>Download Delayed<;/h1><;br><br>The administrator requires a minimum of $mininterval seconds between downloads by a given user. ; Your download will begin in $mininterval seconds (starting now) - please wait...<;/b>";   echo "</body>"; ; session_write_close(); exit(); } # Filter out any backward directory change elements (from people who think they're tricky) : $filename = $_GET["fn"]; $filename = ereg_replace("\.+/", "", $filename); $filename = ereg_replace("\.\.","",$filename); $filename = ereg_replace("^[\/]+", "", $filename); $filename = ereg_replace("^[A-Za-z][:\\|][\/]?", "", $filename); # Make sure the file actually exists in our specified file folder: if ((!file_exists($filepath . $filename)) \|\| (!is_file($filepath . $filename))) { if (!isset($_SESSION["filepipe-notfound"])) {   $_SESSION["filepipe-notfound"] = 1; } else {   $_SESSION["filepipe-notfound"]++; } if ($_SESSION["filepipe-notfound"]>10) {   CCIBanIP($_SERVER["REMOTE_ADDR"]);   exit();   } echo "<b><h1>Access Denied</h1><br><br>You attempted to download a file does not exist.  To prevent brute-force scouting of files, continued attempts to download files that do not exist may result in the banning of your IP. Please check the URL and try again.</b>";   exit(); } $justfilename = ereg_replace(".+/","",$filename); if(strpos($_SERVER["HTTP_USER_AGENT"], 'MSIE')){ header('Cache-Control: public'); } # Got this from some site - seems IE5.5 needs to be coddled like a fucking baby if(preg_match("/MSIE 5.5/", $_SERVER["HTTP_USER_AGENT"])) { header("Content-Disposition: filename=$justfilename"); } else { header("Content-Disposition: attachment; filename=$justfilename"); } # Am using application/unknown at the suggestion of Kazz (Chris).  Seems to work well. header("Content-Type: application/unknown"); Header("Content-Length: " . filesize($filepath . $filename)); if($fp = fopen($filepath . $filename, "rb")) { fpassthru($fp); } ?> --------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------- this one is a totally separeate drop in. ::: soapsecurity.php ::: <?php ############################################################################# # # Cafe CounterIntelligence SoapCMS Core Security Class # Copyright 2004 Mike Parniak # www.cafecounterintelligence.com # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public Lic ense for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Purpose: Base flood, XSS and SQL Injection protection # # Requires: Nothing. # # Usage: create an instance of the soapSecurity object at the beginning of # any publically accessible scripts. GET, POST, and COOKIE variables # that are strictly numeric should begin with "n_". # ############################################################################# class soapSecurity { var $ip; var $csUn = "Soap"; var $vkeyname; var $vhash; var $vsession; var $vsesscook; // Initialization function function soapSecurity($dosanitize = 1) { ini_set("session.use_only_cookies","1"); ini_set("session.use_trans_sid","0"); $ip = $_SERVER["REMOTE_ADDR"]; $vkeyname = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $csUn); $vhash = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] . $csUn); $vsession = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . $