Web applications often store dynamic data in folders together with the application. From WordPress to Magento, many open source apps default to intermingling the data with the application folder structure. Although this provides a simpler deployment and ease of installation for newcomers, it also provides a significant security loophole for exploit by hackers.
By storing data files in publicly accessible folders, that data can be read by any Internet client. Malicious users can scan web applications for generic folder names, such as “log”, “files”, and “var/log”, and review their contents to search for system vulnerabilities. Logs can be an especially weak point on the system, since error logs can often provide software versions and other sensitive information that can then be exploited for targeted vulnerabilities.
In order to ensure that dynamic files are protected against unprivileged access, any sensitive information should be accessed solely through a proxy service. The files themselves should then be secured using Htaccess files, making sure that no direct access to the files is possible from the Internet.
A simple logging function might be coded as follows:
file_put_contents($log_path.'/log-'.date('Ymd').'.txt',date('c').' '.$txt."\r\n",FILE_APPEND);
Next, in order to simplify deployment, as many applications do, we will add automatic folder creation so that the server dynamically creates a log folder if it does not exist:
if(!file_exists($log_path) || !is_dir($log_path)) mkdir($log_path);
file_put_contents($log_path.'/log-'.date('Ymd').'.txt',date('c').' '.$txt."\r\n",FILE_APPEND);
The problem manifest is that the log folder will be publicly readable by default. Malicious users can then scan that folder, review the files, and take advantage of the listed errors to gain access into the system. To prevent that from happening, the function should also dynamically secure the log folder:
if(!file_exists($log_path) || !is_dir($log_path)) mkdir($log_path);
if(!file_exists($log_path.'/.htaccess')){
file_put_contents($log_path.'/.htaccess',"order deny,allow\ndeny from all");
}
file_put_contents($log_path.'/log-'.date('Ymd').'.txt',date('c').' '.$txt."\r\n",FILE_APPEND);
The Htaccess file generated by the function prevents any access from web users. Upon any implementation, the folder access should also be tested in each target environment. Certain Apache configurations can ignore Htaccess files, causing all the files to be readable online. In addition, if a previous Htaccess file existed in the target folder, the security will not be implemented. A more effective approach would be to store data files in a separate folder entirely, outside the directories accessible from the Internet. Still, if that configuration is not possible, a self-securing function will provide better protection than no security at all.
Written by Andrew Palczewski
About the Author
Andrew Palczewski is CEO of apHarmony, a Chicago software development company. He holds a Master's degree in Computer Engineering from the University of Illinois at Urbana-Champaign and has over ten years' experience in managing development of software projects.
Google+
