Security for member dir in rewritemap

Fix it!!

Security for member dir in rewritemap

Postby roychr » Tue Dec 12, 2006 9:30 am

Hi,

Just saw that the software Amember uses a scheme that when you login it modifies a files somewhere in their folder and uses it for each protected folder.

I have been trying to replicate this sort of things without being successfull, is there any gurus that could possibly help devise or point to possible way to read a .txt file (using rewritemap) and compare to some parameter or cookie maybe ? There is no way to read a database from a htaccess file from what i know so this is the simplest of dynamic user permission i think.

Any ideas are welcome, i am pretty sure everyone can benefit from this.

from what i have thought is that you can for example in your security.txt do the following :

SessionID ( from param) -User

so if you do not have a valid sessionId or unique identifier known to the server and you are not registered in the sessions, you cannot do anything at all to hijack the folder.

thanks in advance.
roychr
 
Posts: 3
Joined: Tue Dec 12, 2006 9:21 am

Postby richardk » Tue Dec 12, 2006 11:20 am

So you want to disallow access to a directory if they don't have a session ID?

security.txt
Code: Select all
# session_id  1
abcdefghijkl  1


Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteMap sessionids txt:/path/to/security.txt

# no/empty session id
RewriteCond %{QUERY_STRING} !^(.*&)?sessionid= [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*&)?sessionid=(&.*)?$ [NC]
RewriteRule .* - [F,L]

# session id not in file
RewriteCond %{QUERY_STRING} ^(.*&)?sessionid=([^&]+)(&.*)?$ [NC]
RewriteCond ${sessionids:%2|0} ^0$
RewriteRule .* - [F,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby roychr » Tue Dec 12, 2006 11:31 am

Thanks for your suggestion,

It would be something akin to that. But how do i can get assured that no man in the middle exist if your sessionId gets hi-jacked. I guess this would work, but what could we add to make it check also for the ip of the guy who opened the session ?

Could we add another rewritemap for checking IP and make sur it is unique while session lasts and what would be the parameter to check ? REMOTE_ADDR maybe ?
roychr
 
Posts: 3
Joined: Tue Dec 12, 2006 9:21 am

Postby richardk » Tue Dec 12, 2006 11:39 am

You could do the below or write a program that contacts the database (and just returns true or false) and not use a text file.

Code: Select all
# session_id-ip_addeess       1
abcdefghijkl-123.123.123.123  1

and
Code: Select all
RewriteCond %{QUERY_STRING} ^(.*&)?sessionid=([^&]+)(&.*)?$ [NC]
RewriteCond %2-%{REMOTE_ADDR} ^(.+)$
RewriteCond ${sessionids:%1|0} ^0$
RewriteRule .* - [F,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby roychr » Tue Dec 12, 2006 11:54 am

Can you break down the second and third rewritecond :

RewriteCond %2-%{REMOTE_ADDR} ^(.+)$

if i am correct : this checks for second param after the - but i do not understand the condition to check ^(.+)$, what i understand is [^begining of string with (condition anything goes .+) and then end of string $].


RewriteCond ${sessionids:%1|0} ^0$

this one is check inside txt for any number ? this one really eludes me. does ^0? means any number at end of string ?
roychr
 
Posts: 3
Joined: Tue Dec 12, 2006 9:21 am

Postby richardk » Tue Dec 12, 2006 1:48 pm

Code: Select all
RewriteCond %2-%{REMOTE_ADDR} ^(.+)$

%2 is from the first RewriteCond, it is the session ID. Then there's a literal - (dash) and the %{REMOTE_ADDR} variable. All the pattern does is put it into one variable, %1, for use on the next line.

Code: Select all
RewriteCond ${sessionids:%1|0} ^0$

http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritemap

${sessionids:%1|0} is the RewriteMap lookup.
sessionid is the map name.
%1 is the variable from the line above (session_id-ip_address).
0 is the default value.

If the lookup is successful and the line exists in the RewriteMap, it will return 1 (because you put 1 at the end of every line). It does not match 0 (^0$ means "is 0") so mod_rewrite stops. If the lookup was not successful, it returns the default value, 0, which matches ^0$ and mod_rewrite continues and sends the forbidden header ([F]).
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 13 guests

cron