SitePoint Sponsor

User Tag List

Page 1 of 4 1234 LastLast
Results 1 to 25 of 83
  1. #1
    SitePoint Wizard geiger's Avatar
    Join Date
    Jul 2001
    Posts
    2,459
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Disable file viewing via URL, but allow a link to it via my PHP script

    With the upcoming release of my new software FileTrack, I have one bug left to iron out. It's a big security problem.

    When you upload a file into an account and project (subfolder in the account), it goes to FILETRACK/admin/files/account/project/ . I stuck an .htaccess in /files/ with Options -Indexes contents in order to disable directory contents viewing. However, if a person has the URL of a file which has been uploaded, they can type in the URL and download it with no restrictions. Additionally, create a link on an HTML page and 'save as'.

    I need to be able to restrict this type of access, but allow my PHP software to be able to view it using links. Authorization is using a user/pass form and sessions for the vars.

    Thanks an advance.

  2. #2
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    The FileTrack software will always be on the same server, right?
    Mike
    It's not who I am underneath, but what I do that defines me.

  3. #3
    SitePoint Wizard geiger's Avatar
    Join Date
    Jul 2001
    Posts
    2,459
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nope. Each customer installs it on his or her own.

  4. #4
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    But the files it is protecting, they are on the same server as the FileTrack software?
    Mike
    It's not who I am underneath, but what I do that defines me.

  5. #5
    Bah, I'll just hack it DoobyWho's Avatar
    Join Date
    Jul 2002
    Posts
    476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes

  6. #6
    SitePoint Wizard geiger's Avatar
    Join Date
    Jul 2001
    Posts
    2,459
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Correct.

  7. #7
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Well I'm not in a position to test it now, but couldn't you just CHMOD the files? To say 700 or 750?
    Mike
    It's not who I am underneath, but what I do that defines me.

  8. #8
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Or even disable browser viewing of the subdir:

    <Limit GET>
    order deny,allow
    deny from all
    </Limit>
    Mike
    It's not who I am underneath, but what I do that defines me.

  9. #9
    SitePoint Wizard geiger's Avatar
    Join Date
    Jul 2001
    Posts
    2,459
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, it needs to be viewable via the broswer, so long as the person has logged in to the respectable account. And only denied if they're not logged into that account.

  10. #10
    Bah, I'll just hack it DoobyWho's Avatar
    Join Date
    Jul 2002
    Posts
    476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    basically there needs to be a way for people to access it from the domain the script is installed on , but not from any other domain.



    <--- developed FT with geiger

  11. #11
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Well it would be a bit easier if the file was only accessed via http://www.domain.com/FILETRACK/admi...etpicture.jpeg

    But you want them to see it via http://www.domain.com/FILETRACK/admi...etpicture.jpeg correct?

    But yeah, it's 1 A.M. and my mind is going at a slower pace
    Mike
    It's not who I am underneath, but what I do that defines me.

  12. #12
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Well, if it's through viewfile.php?file=file.ext

    then check the session/cookie, and if it's valid, include/echo the file, If it's not, then don't.

    make the file dir different from the dir where viewfile.php is, and then put this in:

    <Limit GET>
    order deny,allow
    deny from all
    </Limit>


    That should do it. Ofcourse, if you aren't viewing files through the php page, then I'm out of ideas.
    Mike
    It's not who I am underneath, but what I do that defines me.

  13. #13
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Your best bet is to look in to mod_rewrite, then what you can do is.

    Create a PHP page to authenticate the user and present them with a list of files they can download. Then if you set mod_rewrite to deny access to all files except when the referer is your script, that way, they have to go from your authenticated file list page to download the file else they will be rejected - You can also send them to the login page if they don't have the correct referer details.

    Thanks,
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  14. #14
    Bah, I'll just hack it DoobyWho's Avatar
    Join Date
    Jul 2002
    Posts
    476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Basically what happens is, they are presented with a list of files they can download. But the links link to a direct link to the file, and not a php page including the file. How would i mod_rewrite the directory to only allow the files to be accessed via the links in my script?

  15. #15
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's a variation on the hot link protection rules for mod_rewrite, I can't remember it off the top of my head, but I know it does work as a customer has just done something similar on their web site. I'm sure somewhere on these forums someone has posted the hotlink protection rules for mod_rewrite, they just need modifying to restrict the referer to the full URL to the PHP page that links to the downloads rather than let any page on the domain work.

    Thanks,
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  16. #16
    Bah, I'll just hack it DoobyWho's Avatar
    Join Date
    Jul 2002
    Posts
    476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    From my knowledge, mod_rewrite only works on Apache servers. What if the user was using a windows server?

  17. #17
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorry, I just assumed it was Linux. In that case I am not sure as I do not know if IIS has a similar module or functionallity to mod_rewrite.
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  18. #18
    Bah, I'll just hack it DoobyWho's Avatar
    Join Date
    Jul 2002
    Posts
    476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well right now it sits on a linux server, but because this software is going to be sold, it needs to be able to work on both platforms. It might even mean having a seperate download for each platform.

  19. #19
    SitePoint Wizard geiger's Avatar
    Join Date
    Jul 2001
    Posts
    2,459
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Guess we got ourselves tough bug here. No solution yet, then?

  20. #20
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    pippo might know of a solution, you could always PM him.
    Mike
    It's not who I am underneath, but what I do that defines me.

  21. #21
    SitePoint Wizard geiger's Avatar
    Join Date
    Jul 2001
    Posts
    2,459
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Also, noticed a problem with using htaccess to deny access to files based on referrer.

    If the admin puts a link in a file description, the account holder can click it, obviously. But if the link (for whatever reason) is to a file not in their account, they would still be able to access it. Additionally, if they install an upcoming messaging system add-on, the account holder can post their OWN link and click on it. That way, they can go to whatever file they want.

  22. #22
    SitePoint Wizard geiger's Avatar
    Join Date
    Jul 2001
    Posts
    2,459
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm PM him and point him to this thread. Thanks.

  23. #23
    FreeBSD The Power to Serve silver trophy pippo's Avatar
    Join Date
    Jul 2001
    Location
    Italy
    Posts
    4,514
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,
    I don't consider myself an expert in this area but I could post an advice.
    Please, please DO NOT USE the referer[sic] variable to authenticate your users.
    It can be easily spoofed.
    As I said I'm not expert but I discourage you from using referer variable.

    Apache could offer you these kinds of authentications:
    http://httpd.apache.org/docs/howto/auth.html
    Are they enough for you ?


    :-)
    pippo
    Last edited by pippo; Jan 27, 2003 at 06:00.
    Mr Andrea
    Former Hosting Team Advisor
    Former Advisor of '03

  24. #24
    SitePoint Wizard silver trophy Karl's Avatar
    Join Date
    Jul 1999
    Location
    Derbyshire, UK
    Posts
    4,411
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Your only real alternative for Windows and Linux cross platform is to open the file with the PHP i/o functions, then pass it through to the user directly after you have set the content-type header correctly.
    Karl Austin :: Profile :: KDA Web Services Ltd.
    Business Web Hosting :: Managed Dedicated Hosting
    Call 0800 542 9764 today and ask how we can help your business grow.

  25. #25
    Bah, I'll just hack it DoobyWho's Avatar
    Join Date
    Jul 2002
    Posts
    476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It doesn't really have to be cross platform, it could just be a solution for linux users and one for windows users, and they can get the appropriate copy of our software.

    I know about the apache auth , but I dont really think that solution would work. We want maximum usability. We don't want them to have to do much server config, if any, to install the software, and we dont want them to have to type in a user/pass when they click on a file. Once they login to their account, they should be able to access THEIR files, and no way to access others. Not by a link they create, or by a direct link.

    Keep in mind, we have NO IDEA what type of files they will be uploading. So we can't just "include" the files in a php page after they are authed. Files could be pictures, programs, anything really.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •