I use the phpinfo() function a great deal, for basic information to advanced server administration checking, so I like to have it running on all my hosts.
Unfortunately this is a great hole in my security, as this information is a gold mine for the hackers out there.
I could simply remove the file when I am finished, or obfuscate the filename to make it difficult to find. But both of these would rather destroy the ease and simplicity I am looking for.
So, I decided to sort this out today.
The solution I am using is simple. Basic HTTP Auth.
Just enough to deter any would be hackers, as no-one can see how complicated my security is behind this shield. And, this should work on all PHP servers.
Here is the code.
[cc lang="php" tab_size="2" lines="40"]
function authenticate($uid,$pw) {
if (
!isset($_SERVER['PHP_AUTH_USER']) ||
!isset($_SERVER['PHP_AUTH_PW']) ||
$_SERVER['PHP_AUTH_USER'] != $uid ||
$_SERVER['PHP_AUTH_PW'] != $pw
){
header('WWW-Authenticate: Basic realm="Security Check"');
header('HTTP/1.0 401 Unauthorized');
echo "You must enter a valid login ID and password to access this resource\n";
exit;
}
if($pw == "password"){
echo "You must change the 'password' before you can have access to this...";
exit;
}
}
authenticate("admin","password");
phpinfo();
[/cc]
And a zipped version.
If you have a standard file with phpinfo() in it...
I highly suggest you start using this.
No comments:
Post a Comment