PHP/Web Server Security Help

Note: This is in general and not Ask a Pro as it has little to do with ComputerCraft/Lua

Hello all,

The next version of Firewolf will have HTTP support, and I'm setting up PHP scripts/web servers to host, upload, download, list, ect… the files. The PHP is going well and everything is working so far - I'm learning a lot!

After hearing quite a few bad tales about troubles CCFan11 had with his HTTP support in Rednet Explorer, I really don't want to have to go through the same thing. I have come up with a few ways I can think of that should help prevent malicious viruses and scripts, but as I know very little about the internet/viruses compared to most of the people on these forums, I need advice about how to prevent bad things from happening.

Ideas I had so far:
- Disallow uploading of files containing * and %
- Replace . with something like %dot%
- Add a .php extension
- Surround the lua code with a simple PHP file:

<html>
<body>
  <?php
   $code = '
--
--  Your Lua code here...
--
   ';
   print $code;
  ?>
</body>
</html>

The downloaded website would take little parsing to get the original Lua code
The current Firewolf antivirus will also be in place with these websites, so Lua viruses shouldn't harm the user's computer too much.

I'm not sure about preventing spammers, but I was thinking about keeping records on IPs and only letting them from uploading/hosting servers once every 10 (not sure?) minutes.

I Appreciate any help!
Please keep in mind that I am noob at this (website hosting, FTP management, ect…) and only learnt PHP in the last hour :P/>

I think its echo not print.

yea, php uses echo

You should be fine with that as long as you don't view the .php file in an HTML-enabled browser. If you view it in a browser, any HTML embedded in the lua will be parsed opening up potential (client-side) security issues.

Well to prevent spammers how about this, have a limit for websites uploads/updates per IP address, ban know proxy services such as Tor, and if people want to have more uploads/updates per set amount of time have there bee a special form to fill out. Where you need to give some info such as: IP address for server or client, name, why you want to have more uploads/updates and possibly email address. This SHOULD prevent most spammers. Also, have the way to upload a site only be done by the FireWolf client. Have a special key provided by the server along with a special key that is from the client, also have the client key updated every time the client is started up. This will stop me from making a simple C# app that uses Tor while constantly requesting the PHP script that adds a website.

We should work together ^_^/> My cloud storage system would do this justice and since the php script i wrote requires validated member login details from an SQL database and uploads the contents of the file in question directly as it is

another thing you can do is set up a DNS type system where people request a namespace to host their site and upload it to, when they request it you create a directory for their site and only when that directory is there will the php allow the upload

so no directory(namespace) no upload

lieudusty, on 20 December 2012 - 01:17 PM said:

I think its echo not print.

Print's been working fine for me :P/>
I know about echo, but I thought I'd use print for consistency with Lua/most other languages.

Manual reference here.

I'll reply in dot points to everyone :P/>

- Blocking Tor proxy servers is a good idea.

- I do like the idea of requiring login pass codes/accounts to upload. Person creates an account, 1 account per IP, data stored in mySQL database, must supply their account details before uploading/updating. This could also be tied in to the DNS idea, where an account may have up to 5 (?) max websites (namespaces - symbolised by directories on the server), and must register a namespace before being allowed to upload to it. No directory, no upload.

- What sort of limit would be acceptable for uploading/updating per IP address/accounts? Once every 10 (?) minutes, and then blocked out for 48 (?) hours if you request the update/upload 10 (?) times one right after the other, or within a 5 (?) minute window?

- The problem I see with the client/server key system is that what's stopping you from simulating the Firewolf client and requesting a key in your C# program, spamming the hell out of me, and leaving :P/> If I can successfully acquire the key in Firewolf, then a spammer would also be able to. Not sure if this would do any good in deterring spammers as it's only 1 more PHP request.

- Instead of surrounding the code in a PHP script, I could just surround it in HTML comment tags to prevent it from being run, and causing any client side issues if the page was opened in a browser, and use a .html extension instead of .php. After a quick test in CC this looks like it will work.

So basically:
- Accounts, 1 per IP
- Max website creation limit for accounts
- HTML comment surrounding site content
- No Tor proxies
So spammers could only create 5 (?) websites before they would have to change IPs without using Tor.

Sounds like a good system. Now we just have to see how it will play out. If you want, send me a dev version and I can see if I can find any exploits. I am pretty good at finding exploits.

A dev version's pretty far off :P/>

When I have one, I'll send it straight away.

Thanks :D/>

Ok, another question regarding this.

When getting the IP address the request to the PHP script has come from (using $_SERVER["REMOTE_ADDR"]?), and if someone is using it on a server, will the returned IP address come from the Minecraft Server, or from the local computer the person is using? Basically, are HTTP requests (when made from Lua in CC) sent from the client connected to the Minecraft Server, or are they made from the Minecraft Server itself?

This won't be a problem in single player, but limiting it to one Firewolf account per IP could be a very big problem if several people are trying to use it on a server, and they can't log in/can't create a new account because all the requests are being sent from the server's IP.

Hey gravity score, instead of limiting people's usage to prevent spammers, how about you add this to your PHP script generate a random riddle from a pool of riddles and then send it to the client for the client to respond with the answer (Like a captcha) after they reached there server uses. Here's a example:

PHP:

[php]

<?php
$randOne = rand(0, 5);
$randTwo = rand(0, 5);
$randOperator = rand(0,2);
switch($randOperator) {
case 0:
$operator = "+";
break;
case 1:
$operator = "-";
break;
case 2:
$operator = "*";
break;
}
echo 'What is '.$randOne.' '.$operator.' '.$randTwo.'?';
?>
[/php]

Client:

http.request("http//www.site.com/riddleGenerator.php")
local event, p1, p2 , p3 = os.pullEvent()
print(p2.readLine())
userInput = read()
http.request("http://www.site.com/riddleAnswer.php?answer="..userInput)
-- that's all I got for now

But the only problem is that you would have to figure out how to have the server store the answer in a data base (using mySQL?) and then checking to see if the answer is right or not…

That's a really good idea! I'll implement it eventually (when I get around to it). Storage for the answer could be done in a temp file (somewhere like /tmp/answer_SENDER_IP_HERE)
That would prevent someone writing a C# app to spam me, but I would still like to know the answer to my question :P/>.

Maybe I should do a bit of testing…

I suggest implementing an SQL database with user accounts and have a limited number of accounts for each IP address that way people can register from SP instead of abusing servers to create lots of accounts.

I looked into it, and CC does send the HTTP requests from the server IP (now I look back at that question and thing duuurrrrhhhhhhh! Seems so obvious now…)

I am using an SQL database to store the accounts, and I might implement a server limit per IP, but it will be quite large - just to stop the spammers being ridiculous.

Thanks for the help/suggestions everyone!

No problem Gravity! :)/>
I would have up to 15 server per IP. But it's completely up to you to decide how much the limit is going to be, :)/> I wonder if this is already out?