Escondendo o PHP

Em geral, segurança por obscuridade é uma das maneiras mais fracas de segurança. Mas em alguns casos, cada pequena medida de segurança extra é desejável.

Algumas técnicas simples podem ajudar a esconder o PHP, possivelmente retardando um atacante que está tentando descobrir fraquezas no seu sistema. Configurar a diretiva expose_php para off no arquivo php.ini, reduz a quantidade de informação disponível aos atacantes.

Outra tática é configurar o servidor web, como o Apache, para executar tipos de arquivos diferentes pelo PHP, ou por uma diretiva de arquivo .htaccess, ou no próprio arquivo de configuração do Apache. É possível usar extensões de arquivos como disfarce:

Exemplo #1 Escondendo o PHP como outra linguagem

# Fazer código PHP parecer com outros tipos de códigos
AddType application/x-httpd-php .asp .py .pl

Ou obscurecer completamente:

Exemplo #2 Usando extensões desconhecidas para o PHP

# Fazer código PHP parecer com tipos desconhecidos
AddType application/x-httpd-php .bop .foo .133t

Ou esconder ele como código HTML, o que tem uma pequena queda de performance porque todo HTML será avaliado pelo engine do PHP:

Exemplo #3 Usando extensão HTML para arquivos PHP

# Fazer código PHP parecer com HTML
AddType application/x-httpd-php .htm .html

Para isso funcionar efetivamente, deve-se renomear os arquivos PHP com as extensões acima. Embora seja uma forma de segurança por obscuridade, é uma pequena medida preventiva e com poucos custos.

Melhore Esta Página

Aprenda Como Melhorar Esta Página • Envie uma Solicitação de Modificação • Reporte um Problema

＋adicionar nota

Notas de Usuários 22 notes

down

rustamabd at google mail ¶

18 years ago

So far I haven't seen a working rewriter of /foo/bar into /foo/bar.php, so I created my own. It does work in top-level directory AND subdirectories and it doesn't need hardcoding the RewriteBase.

.htaccess:

RewriteEngine on

# Rewrite /foo/bar to /foo/bar.php
RewriteRule ^([^.?]+)$ %{REQUEST_URI}.php [L]

# Return 404 if original request is /foo/bar.php
RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$"
RewriteRule .* - [L,R=404]

# NOTE! FOR APACHE ON WINDOWS: Add [NC] to RewriteCond like this:
# RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" [NC]

down

anon at example dot com ¶

11 years ago

The session name defaults to PHPSESSID.  This is used as the name of the session cookie that is sent to the user's web browser / client. (Example: PHPSESSID=kqjqper294faui343o98ts8k77).

To hide this, call session_name() with the $name parameter set to a generic name, before calling session_start().  Example:

session_name("id");
session_start();

Cheers.

down

Sajith Karunatilake @ ¶

2 years ago

Just hiding it doesn't look like good "security" if the code itself is flawed. At the end of the day the code has to run regardless of its file extension. There could be some advantages to this. But it does not prevent someone (who is not a script-kiddie or some kind of automated bot) from exploiting the flaws in the code.

Just a thought.

Just leaving this comment to prevent a beginner from using this as a legitimate security measure (assuming they read documentation). Cool feature though.

down

mmj ¶

21 years ago

You can see if somebody's using PHP just by adding the following to the end of the URL:
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
If the page is using PHP, this will show the PHP credits.

Setting expose_php to Off in php.ini prevents this.

down

Anonymous ¶

22 years ago

PS. If you want to use pretty URLs (i.e. hide your .php extensions) AND you have safe-mode=on, the previous example (ForceType) won't work for you.  The problem is that safe-mode forces Apache to honor trailing characters in a requested URL.  This means that:



http://www.example.com/home 



would still be processed by the home script in our doc root, but for:



http://www.example.com/home/contact_us.html



apache would actually look for the /home/contact_us.html file in our doc root.



The best solution I've found is to set up a virtual host (which I do for everything, even the default doc root) and override the trailing characters handling within the virtual host.  So, for a virtual host listening on port 8080, the apache directives would look like this:



<VirtualHost *:8080>

    DocumentRoot /web/doc_root

    Alias /home "/web/doc_root/home.php"

    AcceptPathInfo On

</VirtualHost>



Some people might question why we are overriding the trailing characters handling (with the AcceptPathInfo directive) instead of just turning safe-mode=off.  The reason is that safe mode sets global limitations on the entire server, which can then be turned on or left off for each specific virtual host.  This is the equivilent of blocking all connections on a firewall, and then opening up only the ones you want, which is a lot safer than leaving everything open globally, and assuming your programmers will never overlook a possible security hole.

down

sandaimespaceman at gmail dot com ¶

17 years ago

Set INI directive "expose_php" to "off" will also help.
You can spoof your PHP to ASP.NET by using:
<?php
error_reporting(0);
header("X-Powered-By: ASP.NET");
?>

down

marpetr at NOSPAM dot gmail dot com ¶

19 years ago

I think the best way to hide PHP on Apache and Apache itself is this:

httpd.conf
-------------
# ...
# Minimize 'Server' header information
ServerTokens Prod
# Disable server signature on server generated pages
ServerSignature Off
# ...
# Set default file type to PHP
DefaultType application/x-httpd-php
# ...

php.ini
------------
; ...
expose_php = Off
; ...

Now the URLs will look like this:
http://my.server.com/forums/post?forumid=15

Now hacker knows only that you are using Apache.

down

CD001 ¶

15 years ago

It's a good idea to "hide" PHP anyway so you can write a RESTful web application.

Using Apache Mod Rewrite:

RewriteEngine On
RewriteRule ^control/([^/]+)/(.*)$ sitecontroller.php?control=$1&query=$2

You then use a function like the following as a way to retrieve data (in a zero indexed fashion) from the $_GET superglobal.

<?php
function myGET() {
  $aGet = array();

  if(isset($_GET['query'])) {
    $aGet = explode('/', $_GET['query']);
  }

  return $aGet;
}
?>

This is only a really basic example of course - you can do a lot with Mod Rewrite and a custom 'GET' function.

down

Pyornide ¶

17 years ago

The idea of hiding the X-Powered-By in PHP is a flawed attempt at establishing security. As the manual indicates, obscurity is not security. If I were exploiting a site, I wouldn't check what scripting language the site runs on, because all that would matter to me is exploiting it. Hiding the fact that you use [x] language isn't going to prevent me from bypassing poor security.

down

benjamin at sonntag dot fr ¶

20 years ago

In response to the previous messages, for apache, there is a easier way to set files without "." to be executed by PHP, just put this in a ".htaccess" file : 

DefaultType  application/x-httpd-php

down

yasuo_ohgaki at yahoo dot com ¶

23 years ago

To hide PHP, you need following php.ini settings

expose_php=Off 
display_errors=Off

and in httpd.conf

ServerSignature Off
(min works, but I prefer off)

down

ldemailly at qualysNOSPAM dot com ¶

22 years ago

adding MultiViews to your apache Options config
lets you hide/omit .php in the url without any rewriting, etc...

down

info at frinteractives dot com ¶

10 years ago

try this
RewriteEngine On

# Unless directory, remove trailing slash
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^/]+)/$ http://example.com/folder/$1 [R=301,L]

# Redirect external .php requests to extensionless url
RewriteCond %{THE_REQUEST} ^(.+)\.php([#?][^\ ]*)?\ HTTP/
RewriteRule ^(.+)\.php$ http://example.com/folder/$1 [R=301,L]

# Resolve .php file for extensionless php urls
RewriteRule ^([^/.]+)$ $1.php [L]

down

jtw90210 ¶

20 years ago

In order to get the PATH_INFO to work in order to pass parameters using a hidden program/trailing slash/"pretty url" in more recent versions of PHP you MUST add "AcceptPathInfo On" to your httpd.conf. 



AddType application/x-httpd-php .php .html

AcceptPathInfo On



Try it out with your phpinfo page and you'll be able to search for PATH_INFO. 



http://example.com/myphpinfo.php/showmetheway



If you want to drop the .php use one or both of these:

DefaultType application/x-httpd-php

ForceType application/x-httpd-php

down

Anonymous ¶

21 years ago

Keep in mind, if your really freaked out over hiding PHP, GD will expose you.

Go ahead - make an image with GD and open with a text editor.. Somewhere in there you'll see a comment with gd & php all over it.

down

istvan dot takacsNOSPAM at hungax dot com ¶

23 years ago

And use the

ServerTokens min

directive in your httpd.conf to hide installed PHP modules in apache.

down

l0rdphi1 at liquefyr dot com ¶

22 years ago

More fun includes files without file extensions.



Simply add that ForceType application/x-httpd-php bit to an Apache .htaccess and you're set.



Oh yea, it gets even better when you play with stuff like the following:



<?php

substr($_SERVER['PATH_INFO'],1);

?>



e.g. www.example.com/somepage/55



And:



<?php

foreach ( explode('/',$_SERVER['PATH_INFO']) as $pair ) {

    list($key,$value) = split('=',$pair,2);

    $param[$key] = stripslashes($value);

}

?>



e.g. www.example.com/somepage/param1=value1/param2=value2/etc=etc



Enjoy =)

down

m1tk4 at hotmail dot com ¶

23 years ago

I usually do:

<code>
RewriteEngine on<br>
RewriteOptions inherit<br>
RewriteRule (.*)\.htm[l]?(.*) $1.php$2 [nocase]<br>
</code>

in .htaccess. You'll need mod_rewrite installed for this .

down

Bryce Nesbitt at Obviously.COM ¶

22 years ago

Using the .php extension for all your scripts is not necessary, and in fact can be harmful (by exposing too much information about your server, and by limiting what you can do in the future without breaking links). There are several ways to hide your .php script extension:

(1) Don't hard code file types at all.  Don't specify any dots, and most web servers will automatically find your .php, .html, .pdf, .gif or other matching file. This is called canonical URL format:
     www.xxxxxx.com/page
    www.xxxxxx.com/directory/
This gives you great flexibility to change your mind in the future, and prevents Windows browsers from making improper assumptions about the file type.

(2) In an Apache .htaccess file use:
    RewriteEngine on
    RewriteRule page.html page.php

(3) Force the webserver to interpret ALL .html files as .php:
    AddType application/x-httpd-php .php3 .php .html

down

-1

simon at carbontwelevedesign dot co dot uk ¶

19 years ago

I use the following in the .htaccess document

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

then the following simple code

<?php

$permalinks = explode("/",$_SERVER['REQUEST_URI']);

$varone = $permalinks[1];
$vartwo = $permalinks[2];

...

?>

down

-4

php at vfmedia dot de ¶

21 years ago

I?ve found an easy way to hide php code and the uri is searchable by google and others...(only for unix or linux)

At first I have some rules in my hide.conf (i made an extra .conf for it (apache 2.0))

For example when I want to mask the index.php

<Files index>
 ForceType application/x-httpd-php
 </Files>

My problem is, that my code should be readable...

so I made an extra folder for example srv/www/htdocs/static_output

My phpcode is in the includefolder....(for ex. mnt/source/index.php)

Then I made a link in the shell  > ln mnt/source/index.php srv/www/htdocs/static_output/index

So the code is readable (with .php extension) in my includefolder and there is only the link in the srv folder without extension(which is called by the browser...).

down

-5

omolewastephen at gmail dot com ¶

7 years ago

I used this on my site and it works great for me

# RewriteEngine on

# Rewrite /foo/bar to /foo/bar.php
# RewriteRule ^([^.?]+)$ %{REQUEST_URI}.php [L]

# Return 404 if original request is /foo/bar.php
# RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$"
# RewriteRule .* - [L,R=404]

# NOTE! FOR APACHE ON WINDOWS: Add [NC] to RewriteCond like this:
# RewriteCond %{THE_REQUEST} "^[^ ]* .*?\.php[? ].*$" [NC]

＋adicionar nota