php back door URL precautions

  • 2020-11-18 06:08:38
  • OfStack

For example, the following WEB application may display sensitive information to logged in users:

$authenticated = FALSE;
$authenticated = check_auth();
if ($authenticated)
    include './sensitive.php';

Since sensitive.php is located in the home directory of the web site, it is possible to access the file directly using the browser without the authentication mechanism. This is due to the fact that all files in the site's home directory have a corresponding URL address. In some cases, these scripts may perform an important operation, which increases the risk.
To prevent backdoor URL, you need to make sure that all included files are saved outside of the site's home directory. All files stored in the site's home directory must be accessed directly through URL.

Related articles: