{"id":207,"date":"2008-09-23T20:39:00","date_gmt":"2008-09-23T20:39:00","guid":{"rendered":"http:\/\/blog.trungson.com\/?p=207"},"modified":"2008-09-23T20:39:00","modified_gmt":"2008-09-23T20:39:00","slug":"improve-security-for-apc-php","status":"publish","type":"post","link":"http:\/\/blog.trungson.com\/?p=207","title":{"rendered":"Improve security for apc.php"},"content":{"rendered":"

If you’re running APC with PHP, you have the option to download apc.php to view, monitor the usage\/stats. However, the default authentication is very open. Without any credential, anyone can view the running stats and also the cached filenames (a simple search on “APC INFO” will show some site running APC). The login is to view per-directory file caching. So if you want to require login credential on ALL access change this code:<\/p>\n

\n\/\/ authentication needed? \n\/\/ \nif (!USE_AUTHENTICATION) { \n $AUTHENTICATED=1; \n} else { \n $AUTHENTICATED=0; \n if (ADMIN_PASSWORD!=’password’ && ($MYREQUEST[‘LO’] == 1 || isset($_SERVER[‘PHP_AUTH_USER’]))) {<\/p>\n if (!isset($_SERVER[‘PHP_AUTH_USER’]) || \n !isset($_SERVER[‘PHP_AUTH_PW’]) || \n $_SERVER[‘PHP_AUTH_USER’] != ADMIN_USERNAME || \n $_SERVER[‘PHP_AUTH_PW’] != ADMIN_PASSWORD) { \n Header(“WWW-Authenticate: Basic realm=\\”APC Login\\””); \n Header(“HTTP\/1.0 401 Unauthorized”);<\/p>\n echo <<<eob\n <html><body><\/p>\n<h1>Rejected!<\/h1>\n <big>Wrong Username or Password!<\/big> \n <big><a href='$PHP_SELF?OB={$MYREQUEST['OB']}'>Continue…<\/a><\/big> \n <\/body><\/html> \nEOB; \n exit;<\/p>\n } else { \n $AUTHENTICATED=1; \n } \n } \n} \n<\/textarea><\/p>\nto this:<\/p>\n<textarea name=\"code\" class=\"php\"> \n\/\/ 9\/23\/2008: Son Nguyen changed to always require auth for ANY info, not just Per-Dir \n$AUTHENTICATED=0;<\/p>\nif (!isset($_SERVER[‘PHP_AUTH_USER’]) || \n\t!isset($_SERVER[‘PHP_AUTH_PW’]) || \n\t$_SERVER[‘PHP_AUTH_USER’] != ADMIN_USERNAME || \n\t$_SERVER[‘PHP_AUTH_PW’] != ADMIN_PASSWORD) { \n\tHeader(“WWW-Authenticate: Basic realm=\\”APC Login\\””); \n\tHeader(“HTTP\/1.0 401 Unauthorized”);<\/p>\n\techo <<<eob\n\t\t<html><body><\/p>\n<h1>Rejected!<\/h1>\n\t\t<big>Wrong Username or Password!<\/big> \n\t\t<big><a href='$PHP_SELF?OB={$MYREQUEST['OB']}'>Continue…<\/a><\/big> \n\t\t<\/body><\/html> \nEOB; \n\texit;<\/p>\n} else { \n\t$AUTHENTICATED=1; \n} \n<\/textarea><\/p>\n","protected":false},"excerpt":{"rendered":"If you’re running APC with PHP, you have the option to download apc.php to view, monitor the usage\/stats. However, the default authentication is very open. Without any credential, anyone can view the running stats and also the cached filenames (a simple search on “APC INFO” will show some site running APC). The login is to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,18],"tags":[],"_links":{"self":[{"href":"http:\/\/blog.trungson.com\/index.php?rest_route=\/wp\/v2\/posts\/207"}],"collection":[{"href":"http:\/\/blog.trungson.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.trungson.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.trungson.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.trungson.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=207"}],"version-history":[{"count":0,"href":"http:\/\/blog.trungson.com\/index.php?rest_route=\/wp\/v2\/posts\/207\/revisions"}],"wp:attachment":[{"href":"http:\/\/blog.trungson.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.trungson.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=207"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.trungson.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}