Fog Creek Software
Discussion Board




Hidden URLs - How easy are they to find

I am working on the website for http://www.calebsoftware.com at the moment.

Actually I am working on the backend. I have ftp access to the server where the website resides. I will be using a mySQL database to store user information, and to process registration details. For me to work with the server requires and tinker with my admin php scripts I needed to have some kind of access to the mySQL database. I have found a pre-written free set of php scripts that gives me exactly what I want.

Now I type in www.calebsoftware.com/...../index.php and I have full access to my database. Security wise currently if you know the URL, then you have access to the database. The passwords are hardcoded. I am looking to see if there is a way that I can enter them when I access the page. But haven't gotten there yet.

Now (finally) my question.
How safe is this? If nothing else I can ftp into the site and change the name of the password.php file, this will stop the scripts from running and therefore stop anyone from getting access. When I want to use them it is a matter of ftp-ing into the site, and changing the name again.

If a URL exists that has access to a database of information, will it be found? or is the only one to find it via knowing the url???

Aussie chick
Sunday, August 08, 2004

PHP and MySQL. Is that a Linux server? Are you using Apache? Google to learn more about .htaccess files. You can password-protect a single directory using an .htaccess file (in fact, you can do a lot more too).

As a note, .htaccess is specific to Apache only. It means nothing in an IIS setup.

anon
Sunday, August 08, 2004

*grin*

I am positive you spoke a different language in that post. Okay, well not a different language, just alot of new terms that I fear will require alot of hard work and googling and scratching my head.

I will be honest. There is no way I can afford the time to do that sort of thing at the moment (not when I can just ftp into the site and hide the file).

But if it is considered the more sane approach, then you can be sure I will look into it as soon as I do have some time.

Aussie chick
Sunday, August 08, 2004

Well, it's no real security.  Anyone who wants to access the admin pages just has to watch the HTTP traffic between you and the server, or start guessing.  For a short-term situation, maybe it's acceptible.  The biggest danger is that if you think it's "good enough" you never fix it and do it right.
Look into htaccess.  It's really not that hard to set up, and you can have a password and limit access by requesting IP/domain for extra security.  Even if you're new to Apache, it should take at most a few hours and will really give you peace of mind.
If the data were really valuable, I would add something like SSL with a client certificate).

Brian
Sunday, August 08, 2004

On one of my sites, I was careless enough to install forum software twice. Once in a folder called "forum" and once in a folder called "forums". Both pointed to the same database.

Someone found the unfinished install in "forums" and - purposefully - finished the install, wiping out the database.

If your webhost gives you CPanel or something similar, you can password protect your directory via the admin GUI. If you're on a shared server, ask about it, most will provide it or something like it free. If you're on a dedicated server, it usually costs $20 a month.

www.MarkTAW.com
Sunday, August 08, 2004

http://googlesite.google.com/search?output=googleabout&site=googlesite&q=secret&submit=Search

4. Why is Googlebot downloading information from our "secret" web server?

It is almost impossible to keep a web server secret by not publishing any links to it. As soon as someone follows a link from your "secret" server to another web server, it is likely that your "secret" URL is in the referer tag, and it can be stored and possibly published by the other web server in its referer log. So, if there is a link to your "secret" web server or page on the web anywhere, it is likely that Googlebot and other "web crawlers" will find it.

Matthew Lock
Monday, August 09, 2004

Aussi Chick,

THAT was a clever move to promote your website.

Congratulations

Die Velo AG rechnet mit dem Saldosteuersatz von 2,3% ab.
Monday, August 09, 2004

Sure, I've been able to find people's names in log files... It's pretty scary when something like:

jsmith.newyork.isp.com

is the kind of trail you leave around the web.

Of course, if this is her personal and private space, she'll be smart enough not to follow any links out...

But really, HTACCESS is the right way to secure it. Here's a simple way to protect your website. Not as secure as password protection, but it works.

Create an .htaccess file with the following:

AuthType Basic
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http://mydomain.com [NC]
RewriteRule /* http://www.mydomain.com/ [R,L]

and put it in the directory you want to protect. What this says if "if someone access this directory without being referred from mydomain.com, send them to the homepage.

Then, in yet another super secret location on the server, stick a file with just the link to the hidden directory. Then anyone guessing the hidden directory won't get access. Only if they know the 1 location of this 1 file will they get in. Name it something totally random, even change it from time to time.

Sure they could get into spoofing referrers, but they'd have to be pretty determined to do that.

www.MarkTAW.com
Monday, August 09, 2004

"THAT was a clever move to promote your website."

Dork, she's been around here for a long time and openly talked about the development of this product. Plus the site doesn't even work now. Oh, and the product would be of minimal interest to most JoS readers.

www.MarkTAW.com
Monday, August 09, 2004

Oh... or you could add in another domain, and put the link on another domain... That works nicely too... I have several domains, and one is almost never publicized to the world. This is the one I have phpMyAdmin on... And in a password protected directory.

www.MarkTAW.com
Monday, August 09, 2004

Nice design, by the way. It really says "this is a professional product."

www.MarkTAW.com
Monday, August 09, 2004

just be sure to try it out after running the following (which should be in your favorites)

javascript:window.resizeTo(800,600)

as for .htaccess, the hardest part is getting it to recognize the right password file, on my host there is some really wacky path which i couldn't figure out, so i let the admin interface (e.g. ensim, directadmin, cpanel) write the whole thing for me than I re-wrote it.

if you can't figure out passwords, you can restrict it to just your IP address.

http://httpd.apache.org/docs/mod/mod_access.html

mb
Monday, August 09, 2004

She won't need to resize her browser if she's just editing her database.

www.MarkTAW.com
Monday, August 09, 2004

If you don't want particular links picked up by robots (well behaved ones anyway), then as well as .htaccess you should add them to robots.txt in the root directory of your site.

Of course publishing links there advertises them to badly behaved people or robots as well so they should also be protected by .htaccess if using apache and the file system at least if not.

Simon Lucy
Monday, August 09, 2004

"as well as .htaccess" ?

A proper .htaccess should prevent anyone from entering, including a robot. Unless, I guess, the username and password are encoded in the URL, or the spider is given the password somehow.

All this has me thinking. Why don't you keep whatever scripts are required to access the database locally, and only allow access to the database from your IP address, or some other password protection - i.e. at the database level.

www.MarkTAW.com
Monday, August 09, 2004

>This is the one I have phpMyAdmin on... And in a password protected directory.

Am I to read beneath the lines here. If so you most definetly have me convinced.

As for your later comments. I don't know why I couldn't keep the scripts locally, only that I am actually using phpMyAdmin, and I wouldn't even know how to begin doing this.

I appreciate the steps you gave me read. htaccess in an earlier post, I will follow them on the weekend. I do not have the time to deal with anything more complex then following basic steps, however I definetely do not wish to imply that I am wanting someone else to do the work for me (fi that makes sense).

With regards to the .htaccess steps you said:
"Then, in yet another super secret location on the server"
This brings me back to my original question, how secret is super secret. Why should I need to 'change it from time to time' if it can't be found?

Aussie chick
Monday, August 09, 2004

Aussie Chick must no doubt have killer looks. Because how else anyone asking such questions would have landed a job writing website backends is completely beyond me.

Egor
Monday, August 09, 2004

Given that she hired herself I doubt it was an issue.


Monday, August 09, 2004

*rolls eyes*

Actually I have written a program (see http://calebsoftware.com), I am now working on the backend of the website in preparation for marketing the program. I have never had much to do with webstuff (It has never appealed to me, I like desktop programming). So I turned down offers to have it coded for me, and have learnt php etc. Installed apache, MySQL etc and figured out basically how they work.

I also have alot of people on this forum who willingly answer all the dumb questions that I have.

Aussie chick
Monday, August 09, 2004

If it has "never appealed to you", what makes you think that skipping on proper learning and asking "dumb questions" here will do you better than hiring a professional?

Egor
Monday, August 09, 2004

Well I can't afford a professional for a start.

I don't think I am skipping on proper learning. I have to start somewhere, and building my own website backend seemed like a good place to start.

What would you define 'proper learning' as? It is my understanding that it is fairly common for full-time employed programmers to be required to make use of a technology that they do not fully understand. When they do I imagine that they would ask questions of their colleagues as they put what they are learning into practice. I imagine that they would search the Internet for resources (ie tutorials) to assist them. This is pretty much what I am doing.

I would be interested to know what you define as 'proper learning', and why you believe what I am doing is so incorrect?

Aussie chick
Monday, August 09, 2004

Sorry in answer to your questions, why do I think I can do better then a hired professional.

I don't. I imagine a good professional would probably write a much simpler script in much shorter time.

In fact I wrote all of my scripts in VBScript before discovering that VBScript is not available on this unix server, and that it all had to be re-written in php. I had found a MD5 algorithm and tailored it to fit the VBScript, all of which could be professionally seen as wasted time as it turns out the php has a built in MD5!!

Except I learnt so much. My skills increased. I no longer dislike *all* webstuff. I still know I don't have the artistic talent to create a website (I suck with colors), but I realise that php is alot closer to programming then I once imagined. In fact I even find it quite fun, and I love working with databases.

So in answer to your question. Ultimately the outcome might not be as excellent as a professional might produce, however I do not think that it is below par, and the most important thing that I have achieved is a much greater knowledge, which I would not have gained had I used a hired professional.

Aussie chick
Monday, August 09, 2004

How secret is super secret? It's as secret as it is as easy to guess the url. 

Plus the fact that if you have a link to Google on it Google will spider the page you came from - which is your secret page.

Matthew Lock
Monday, August 09, 2004

>How secret is super secret? It's as secret as it is as easy to guess the url. 

That's what I thought. So is this secret referrer system any more secure then my ftp system?

Do I need to go into the world of SSL etc to properly protect this?

Or as mark suggested, story the relevant scripts server side?

Aussie chick
Monday, August 09, 2004

Well, I don't know the source code of phpMyAdmin. Maybe it loads an image from their servers or sends them error reports. I really don't know, I never looked too closely in to it. I'm just assuming that anywhere foreign software is running is a location that *could* be discovered.

I'm actually linking to a directory in exactly the manner I describe. I created an HTML page that's a dictionary word, but random (I just typed random letters and chose a word that I thought of when I saw those letters). It's in a not too well known directory on my server. So, this page probably can't be guessed, though I do have it bookmarked.

My server's log files aren't public, nor is any log analysis report.

I would say this is reasonably safe. If anyone was looking, they'd have to guess a directory, filename, and extention (.htm, .html, .shtml, etc.), or have access to my log files. If for any reason they knew phpMyAdmin was installed on my server, they could spoof the referrer to gain access, but that would be a bit of a streatch. They'd have to know, want to gain access, and be motivated enough to spoof the referrer.

So I'd say these are reasonable steps to "harden" your system. Not 100% secure, but not wide open either.

www.MarkTAW.com
Monday, August 09, 2004

I understand it alot more know. Thanks.

Aussie chick
Monday, August 09, 2004


.htaccess is the *only* way to secure this sucker.

I run a small forum system (phpBB) for a small group of friends.  There are a total of 8 of us on there and there are no links published anywhere and they received links via their email.  Then, unless you're a registered member, you can't read any of the forums on the page...

So far, I've had a handful of people attempt to join every week for the past year.  I assume that it's due to Google linking/referrs, but I haven't cared to look into it.

KC
Monday, August 09, 2004

AussieChick,

I'm assuming your server is Linux for all of this. If not, let me know.

To password protect the phpMyAdmin directory, do this:

First, make a file called '.htpasswd' somewhere out of your web root (ie if you use Cpanel, your web root is /home/user/public_html, make it in /home/user). Make sure you know the path of where you put it.

Go to this website: http://www.euronet.nl/~arnow/htpasswd/

It will encrypt your password for you into the required format. Copy the line that site gives you into your htpasswd file and upload it as ascii. That is all that should be in the file.

Make a file called '.htaccess' in the phpMyAdmin directory. In it, place this:

"
AuthUserFile /home/user/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require valid-user
"

Replace the AuthUserFile path with the path to your .htaccess file, and upload  as ascii again.

In theory that should now pop up a password box whenever you go to your phpMyAdmin directory :)


Hope this helps, and let me know if you get stuck and/or your server is not Linux!

James U-S
Monday, August 09, 2004

Yes it is a linux server.

Thanks. It is way past my bedtime here, but you can be sure I will check it out tomorrow night.

Thanks guys for your help (again!).

Aussie chick
Monday, August 09, 2004

> That's what I thought. So is this secret referrer system any
> more secure then my ftp system?

In principle the "secret system" and the ftp system both require you to know a secret phrase, in the first case a secret url and in the second a username and password. So they are both equally secure in that sense.

But you really need to exercise due diligence and add the password protection. If it's phpMyAdmin you don't even need to make .htaccess I think you can code the password straight into the config file.

http://groups.google.com.au/groups?hl=en&lr=&ie=UTF-8&safe=off&q=phpmyadmin+password+protect&btnG=Search

Look how many other people forget to password protect their phpMyAdmin:
http://www.google.com.au/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=%22Welcome+to+phpMyAdmin%22+MySQL+%22running+on%22

Matthew Lock
Monday, August 09, 2004

h4x0r5 are wise to this too: http://www.wired.com/news/infostructure/0,1377,57897,00.html

And you don't won't to be 0wn3d do you?

Matthew Lock
Monday, August 09, 2004

I never had any luck creating an .htaccess / .htpassword combination anywhere but on the server itself. Any uploaded .htpassword file never seemed to work quite right, and I have no idea why.

There should be a pretty simple tutorial, however, on how to do it from the command prompt (telnet/ssh) on the server.

www.MarkTAW.com
Monday, August 09, 2004

Mark, I have seen some servers have issues with files uploaded via ftp

bin vs ascii

Tapiwa
Monday, August 09, 2004

I second Mathew's suggestion. Don't store password in phpMyAdmin config. Set authorization to 'http' in config file, then whenever you try to access MySQL db using phpMyAdmin it will ask you USERNAME/PASSWORD for *MySQL* and it will then allow you to access database if your login details are correct.

Regards,
JD
http://jdk.phpkid.org

JD
Monday, August 09, 2004

"I never had any luck creating an .htaccess / .htpassword combination anywhere but on the server itself. Any uploaded .htpassword file never seemed to work quite right, and I have no idea why.
"

I often find it helps to rename to .htaccess them once they are uploaded, as Windows doesn't seem to like having nothing before the dot. Perhaps that would help?

James U-S
Monday, August 09, 2004

No. I always upload them as ASCII, and I'm aware of Windows' problem with filenames starting with dot.

I never really figured it out, and it wasn't worth my time. Most web hosting companies offer some sort of control panel (usually CPanel), so just secure it through there.

www.MarkTAW.com
Monday, August 09, 2004

Upload them in binary mode, ascii mode causes problems when interepting cr / lf between unix and windows.

GD
Monday, August 09, 2004

I probably tried that too. But I'll keep it in mind if that situation ever comes up again (unlikely).

www.MarkTAW.com
Monday, August 09, 2004

I'm surprised no one chimed in on the security flaw in using ftp.  It's not secure, and you should really use ssh and scp instead.  Someone dedicated could watch your login in ftp and get your access credentials, to later cause damage.

AnonymousCoward
Monday, August 09, 2004

Just a rhetorical question here -- if Aussie Chick's question had been posed by a guy, and if the post had initially misspelled a few words, would as many people have been so helpful? 

sir_flexalot
Tuesday, August 10, 2004

Did I misspell some words? I always do typos.

But you do have a good point. One that I have capitalised on for many years.  I don't mean in a tarty way, but guys and girls are different, that's a fact.  When I walk into a computer lab, a bunch of geeky heads look up and think "there is a girl in here". I have this brief moment in time to befriend them. From that point on I can generally get away with asking all the questions I like.

I like to think for my part I am articulate and good for a laugh, or a funny story. That is to say, I realise that I am treated differently for being a female, but I am different. I don't say bad things to people, I stick up for everyone.

Girls are different to guys in so many ways. I think it is okay for all of us to recognise this.

You guys all know me slightly, I have an education, and a smart head on my shoulders, I am what most would think of as a somewhat feminist women. I object to negative irrational male/female stereotypes etc. Yet I still love it when my husband opens the car door, or goes and gets whatever I want because it is too cold and I don't want to go. For my part I love having a nice dinner cooking as he comes home from work, and tidying the house.

I know this is way off topic, but does it seem so politically incorrect for a male to acknowledge the differences. Or are men (and I guess alot of women) still stuck somewhere between the old chauvinist attitudes of decades gone, and the men/women exactly the same thougths of Greer?
It is well publicise the female thoughts on feminise, and even I have had my say. But what do you guys think about it all?

Aussie Chick
Tuesday, August 10, 2004

Having never seen a photo or met 'her', how do I know that 'she' is female? Back when BBS was all the rage, I frequently maintained an opposite-sex persona specifically because I was treated differently when I did so.

In fact, I'll bet that a lot of the nice treatment 'she' gets is simply because 'she' presents 'herself' as a friendly, humble person who wants to learn and isn't afraid to work at it. I'm sure that 'she' could change 'her' screen name to something obviously male and continue to get good help after having established the same reputation.

Who am I, really?
Tuesday, August 10, 2004

AussieChick is a valued member of the community, and gave us tons of insight in to her development process, and let help her with the decision making process for some crucial steps in her design process. If AussieChick was a guy I certainly would've put in some effort to help him out.

But AussieChick is a girl, and maybe that's why she was open enough to open up the doors and let us get involved in the way she did. I won't ever really know.

www.MarkTAW.com
Tuesday, August 10, 2004

Based on previous postings, it's pretty clear that AC is really a girl. Not that it matters here.

(the sexy aussie accent give it away)

Steve "muppet" Irwin
Tuesday, August 10, 2004

> Or are men (and I guess alot of women) still stuck somewhere between the old chauvinist attitudes of decades gone, and the men/women exactly the same thougths of Greer?

I'm not good at generalising ... prefer to know specific examples than generalisations; and even in general the attitudes in Australaa, say, are likely different from those in Scandinavia or Europe or America or ...

> When I walk into a computer lab, a bunch of geeky heads look up and think "there is a girl in here". I have this brief moment in time to befriend them.

Actually guys have that opportunity too: when the heads look up and think "there is a guy in here".

> Yet I still love it when my husband opens the car door, or goes and gets whatever I want because it is too cold and I don't want to go. For my part I love having a nice dinner cooking as he comes home from work, and tidying the house.

That too needn't be sexist: doing things for people, having them do things for you ... those can both be pleasurable, no matter what the genders of the people involved. Everyone's unique.

Christopher Wells
Tuesday, August 10, 2004

Interesting, you seem to take a different stance to me (unless I am misreading).

I have felt a distinct interest, when enter male dominated areas, in the fact that I am a female, it was very visible in this forum, mostly when I first arrived, and prior to my personality being known, there were a number of 'oh my gosh a girl, let me talk to her' type responses.  I have never seen anyone ask one of the guys in this forum for there picture. I have had this request many times.

Aussie Chick
Tuesday, August 10, 2004

"Based on previous postings, it's pretty clear that AC is really a girl. Not that it matters here."

I meant we won't know why AussieChick allowed the community here to help in the design process.

I'm all for acknowledging the differences between men & women. Though it's precisely those differences that tend to get me in trouble...

www.MarkTAW.com
Tuesday, August 10, 2004

>I'm all for acknowledging the differences between men & women. Though it's precisely those differences that tend to get me in trouble...

You make a very good point, it seems to be complete up to the whim of the women as to whether you noticing the difference, and the manner in which you acknowledged the difference is acceptable. As much as I detest female stereotypes, I do believe women are very very hard to understand!

Aussie Chick
Tuesday, August 10, 2004

>I meant we won't know why AussieChick allowed the community here to help in the design process.

Also I am avoiding even commenting on why I allowed the guys help with the process. I just wanted to I appreciated the input, I am aware that it is unusual, perhaps it is some female part of me shining through, perhaps not.  I enjoy appreciating the differences between men and women, but hesitate to pin my design process on me being female (though it might rightly have been driven by this, being that I am a female and all).

Aussie Chick
Tuesday, August 10, 2004

I think that women are definately different than men - in the way they think, and therefore in the way they act.  Women and men also communicate much differently (ah, what being married will teach you ...).

As for women being treated differently than men (especially in settings where the majority of people are male) - that happens, too.  Many times it takes the form of chivalry (my opening the car door for my wife, Aussie Chick getting plenty of help in the lab, or on these boards).  Nothing wrong with that.  Sometimes, unfortunately, it takes the form on "Do you have a picture ..." or some other adolscent response.

::shrugs::  Many times women treat men differently than they do other women, as well ...

One of the Matts
Wednesday, August 11, 2004

>::shrugs::  Many times women treat men differently than they do other women, as well ...

Absolutely

(we don't scratch guys eyes out like we do to other girls;))

Aussie chick
Wednesday, August 11, 2004

The only people here who think "girls" aren't treated differently from "boys" in a geek/IT setting must have never worked with female collegues.
If you really need something done cheap, good and fast, have the girl ask the geek. This is why the female lookers (and this doesn't need to be supermodel types, just plain ok will do nicely) talk can talk the lingo working in IT can basically fill in their own salary number.

The other side of the coin: Every time I worked under a female manager: walk into a new situation and everyone automatically assumes you are the one in charge, and she's the secretary.

Just me (Sir to you)
Thursday, August 12, 2004

*  Recent Topics

*  Fog Creek Home