4

There are a lot of ways for detecting if you are running PHP code on localhost or server. However they use $_SERVER and http header which can be fake by user.

It is serious for me because I have made a developer php shell interactive on my website which should go to 404 if it is not on the localhost.

merhad
  • 43
  • 1
  • 3
  • 4
    No, the user can't fake `$_SERVER`. – JJJ Aug 03 '13 at 08:30
  • 1
    @Juhana `$_SERVER['REMOTE_ADDR']` can’t. But `$_SERVER` contains several keys that come direct from the user’s HTTP request, e.g., `HTTP_*`. – Gumbo Aug 03 '13 at 09:19

3 Answers3

2

The most straightforward answer is $_SERVER["REMOTE_ADDR"]. It's generally considered reasonably safe.

However, if you provide access to command line commands through your script, it may not be enough. It may be possible to send a request to your script from the outside through IP spoofing. That may be enough to trigger a destructive command even though IP spoofing usually means that the attacker will not receive a response. (This is a very esoteric scenario and I know little more about it than that it may be possible.)

What you could do:

  • Instead of checking the IP from within PHP, make sure the page can not be accessed from the outside using tougher means, for example by setting up a hardware or software firewall that prevents any access from outside, or configuring your web server to listen only to local requests.

  • Instead of checking the IP from within PHP, protect the page by using some sort of password authentication.

  • Talk to a security expert (maybe on http://security.stackexchange.com), explain your network setup and ask for opinions whether IP spoofing is a possibility in your specific scenario.

  • Make your script available through CLI, the server's local command line, instead of the web server. Place your script outside the web server's root. (This option will probably defeat your specific purpose of having an interactive shell, though)

Or you can of course trust that no one will ever find out. If this is for a low-risk, private project, thinking about IP spoofing is probably overthinking it massively.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • +1, would [php cli](http://php.net/manual/en/features.commandline.php) be a consideration? `$stdin = fopen('php://stdin', 'r');` – Dave Chen Aug 03 '13 at 08:52
1

I believe you are looking for $_SERVER['REMOTE_ADDR'].

Check it with localhost or 127.0.0.01 or a LAN IP of your choice.

Pekka 웃 with his answer goes into further details on how this may be spoofed.

Community
  • 1
  • 1
Dave Chen
  • 10,887
  • 8
  • 39
  • 67
  • i had a look at the answer by nicola here:(http://stackoverflow.com/questions/2053245/) both HTTP_HOST and REMOTE_ADDR seem to be vulnurable. – merhad Aug 03 '13 at 08:37
  • Wow @Pekka웃: I see your comment on that post as well. I would like to mark this question as a duplicate, but fix up that question's answer as well. – Dave Chen Aug 03 '13 at 08:39
-1
$serverList = array('localhost', '127.0.0.1');

if(!in_array($_SERVER['HTTP_HOST'], $serverList)) {
}

you can't fake this one

Bogdan
  • 693
  • 7
  • 26
  • This can be faked under certain circumstances, though. – Pekka Aug 03 '13 at 08:32
  • [`Contents of the Host: header from the current request, if there is one.`](http://php.net/manual/en/reserved.variables.server.php), so yeah, couldn't this be faked? – Dave Chen Aug 03 '13 at 08:33
  • [$_SERVER 'HTTP_HOST' = an ip that's not my server](http://stackoverflow.com/q/4696684) – Pekka Aug 03 '13 at 08:35
  • i had a look at the answer by nicola here:(http://stackoverflow.com/questions/2053245/) both HTTP_HOST and REMOTE_ADDR seem to be vulnurable. – merhad Aug 03 '13 at 08:35
  • @merhad Ugh, and I even upvoted the answer there. What was I thinking? Using `HTTP_HOST` is not a good idea. REMOTE_ADDR is not vulnerable as such - it can be IP spoofed under certain circumstances but only to make the request, not to receive an answer. It's not likely to be a problem in your case. – Pekka Aug 03 '13 at 08:37
  • @Pekka웃 , do you think in such case(php shell interactive by using eval function) still I can feel safe? – merhad Aug 03 '13 at 08:42
  • @merhad probably not 100%; I'll write an answer – Pekka Aug 03 '13 at 08:45
  • what makes me worried is the answere here: (http://serverfault.com/questions/411658/), the database can be damaged and the attacker would not need any http response. – merhad Aug 03 '13 at 08:48