Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Securing file access
From: Scovetta, Michael V (Michael.Scovettaca.com)
Date: Wed Sep 29 2004 - 11:44:49 CDT
One additional note: don't ever grant users access directly to the resource
(pdf). If they have access today, and get the link to it, and then are revoked tomorrow, you need to prevent them from re-downloading the link that they have. Instead of passing the user:
Push all processing through a separate page:
The getPDF.asp page should be (essentially):
' do authorization
IsAuthorized = calculateAuthorization(...)
If IsAuthorized Then
Response.ContentType = ...
From: Bénoni MARTIN [mailto:Benoni.MARTINlibertis.ga]
Sent: Tuesday, September 28, 2004 5:18 AM
To: John M. L.; webappsecsecurityfocus.com
Subject: RE: Securing file access
Ha, you're in the same case than me, I had to deal with IIS :( !
Well, maybe I did not understood very well your trouble, but what about this:
- Setting up a directory containing the PDFs files (let's say 20 files), disable this directory browsing ability of course :)
- In your DB (you've got MS Access, I use MS SQL Server or MySQL, but it's still SQL :) ), have as many lines as there are users, and lines should be like this: login + password + page name to get if authentication successful
- In the page, list all the files that the user can access. So, he/she will just can download what is proposed ...
The trouble remains the page, of course :). So:
Let's have a table in your database like this:
login pass 1,5,9,12,...
where 1,5,9,12,... are numbers indicating what files you allow the user to download.
You will need then to setup another table in your DB with lines like this (to connect the numbers to the real files names):
Then you just need a unique page, and when the user authenticates, it will display antomacically the files names you allowed him to download ...
PS: MD5 is somewhat weak, what about using SHA-256 ? I can send you the sha256.asp file, and tell you how to use it, quite easy ...
De : news [mailto:newssea.gmane.org] De la part de John M. L.
Envoyé : lundi 27 septembre 2004 16:57
À : webappsecsecurityfocus.com
Objet : Securing file access
I have a project that involves a members only area on web page on IIS.
The members' only area is secured by a database (MS Access) so users are authenticated by their name and some MD5 hash etc. I need to allow files (mostly PDFs) for download to authenticated users only. In my opinion this means that the files can not be stored in any www accessible folder (regardless of any renaming convention etc, I absolutely cannot have someone guess a file name to download). In order to access the files, the database would link a file to a unique id, so a page that validates the user would then give access to the file stored outside of the www on the server. Now, this is where the real question lies. How is this possible since the files are not in a www accessible path, since a mere link to a file won't due.
Any thoughts would be welcome. If I'm going about this completely wrong that would be nice to no too :) Forgive me if the answer is simple, I'm a Linux fan and haven't used IIS etc for years.
One more note: IIS, MS Access and VBScript are not my technologies of choice, but merely what I was given to work with. I also have very limited control over administering IIS.