FB Labs: A.S. 2014/15 - Relazione di laboratorio: Backup Manager

PROJECT	Backup Manager
AUTHOR	Hamza Jahangir

OBJECTIVE

Create a PHP application that executes a backup script for the homepage and then permits a download of it after an initial user authentication.

ANALYSIS/THEORETICAL PREMISES

Data from the index file (username and password) is sent through the POST Method because it’s a method generally used when sending passwords and other sensitive data. POST variables are not shown in the URL therefore the parameters cannot be saved in the browser history. Compared to the GET method, POST is generally more secure. More information about POST and GET methods can be found at the following links:

$_POST Manual - http://php.net/manual/en/reserved.variables.post.php
POST vs GET - http://www.w3schools.com/tags/ref_httpmethods.asp

To create a backup archive of the homepage the Linux tar command can be used thanks to the exec function of PHP (Execution of an external program). The tar program is used to create, maintain, modify, and extract files that are archived in the tar format. Note that the folder permission needs to be changed.

Tar command - http://www.cyberciti.biz/faq/ubuntu-howto-compress-files-using-tar/
Exec - http://php.net/manual/en/function.exec.php

To download the backup archive PHP header function is used to manipulate HTTP headers. HTTP header fields are components of the header section of request and response messages in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction. To download the file from the browser the readfile() function is used.

Header Function - http://php.net/manual/en/function.header.php
Header Fields List - http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
Header Force Download Tutorial - http://davidwalsh.name/php-force-download
readfile Function - http://php.net/manual/en/function.readfile.php

The authentication is based on a file that contains user credentials (username and password). Credentials are retrieved using the explode() function.

Explode() Manual- http://php.net/manual/pl/function.explode.php

SHA-1 is a cryptographic hash function designed by the United States National Security Agency. In this application sha1() function is used to encrypt passwords.

sha1() Manual - http://php.net/manual/en/function.sha1.php
Secure Hash Algorithm 1 - http://en.wikipedia.org/wiki/SHA-1

SPECIFICS

Data is sent using POST Method

Authentication relies on a txt file with encrypted passwords (sha1) and usernames. Explode function is used to retrieve the credentials.

Backup archive is created using tar command through exec()

The archive is downloaded using header() and readfile() in a download page after an initial redirection.

All the functions are included in a function library file (that is included in the pages with require)

DEVELOPMENT

The project has been splitted in four main pages and one text file containing the credentials.

index.php – Used for the login and the redirection handling in case of download or authentication error.

backup.php – The page that handles the authentication, creates the backup folder and redirects to the download page.

download.php – Used for downloading the file with octet stream.

function_lib.php – The file that contains all the needed functions.

user-log-file-0000.inc – The text file containing usernames and passwords

AUTHENTICATION PAGE

Index.php contains an authentication form that send data through POST to the backup page.

Form code from the page:

The page also contains a php code to handle authentication and download error:

BACKUP PAGE AND CREDENTIALS FILE

backup.php checks if the user has given the right credentials checking the user-log-file-0000.inc file that contains encrypted passwords and usernames separated by a delimiter. Note that the credentials file has an .inc extension in order to deny URL access to it (in the web server configuration file – in this case lighttpd.conf – an extension can be URL access denied). In order to use the tar command successfully it is important to change the permissions of the folder that contains the file so that non root user can use it.

First the function library is included and all the “parameters” are set:

Then if the authentication in successful the file is created and the download is started by redirecting to the download page otherwise user is redirected to the index page with a message: