Security Basics mailing list archives
Storing doc pdfs within an application or database?
From: "WALI" <hkhasgiwale () gmail com>
Date: Sun, 20 Jan 2008 20:41:25 +0400
An in house developed application related to Human resources, developed using ASP (not asp.net) using Oracle 9i as backend, serves employees payroll and tracks their development. Part of each of the employees HR homepage (viewable on the web browser) pertains to storing their employment contract, their educational certificates, passport copies of their and their family spouses etc., in either pdf or doc format.
These files (pdf and doc) are stored in a shared folder on the same server hosting the application.
The problem is, there is 'security by obscurity' only. If I am savvy enough to use an application proxy or even dig through my browser history, I can find the whole URL relating to that document, as an example: Visited: Administrator@http://abcint/Administration/Employment_Contract_HR2006/2313441.pdf
where, 'abcint' is the Netbios name of the server and starting 'Administration' onwards is the webshare on the same server.
2313441.pdf is my employment contract number where the series of number is easily identifiable for it's my employee ID too.
Now, I can change that serial and *poof*, get to see any other pdf too, relating to another employee.
How do you guys take care of such authorisation/aunthentication mechanism when it comes to pdf/doc files that are not residing within a database?
Current thread:
- Re: Remote desktop access policy jenna (Jan 18)
- RE: Remote desktop access policy Petter Bruland (Jan 18)
- RE: Remote desktop access policy Dave Spillers (Jan 18)
- AW: Remote desktop access policy Johannes Lemmerer (Jan 18)
- Storing doc pdfs within an application or database? WALI (Jan 21)
- RE: Storing doc pdfs within an application or database? Ramsdell, Scott (Jan 21)
- RE: Remote desktop access policy Dave Spillers (Jan 18)
- RE: Remote desktop access policy Petter Bruland (Jan 18)
- Re: Remote desktop access policy Josh Haft (Jan 18)
- <Possible follow-ups>
- Re: Remote desktop access policy David Glosser (Jan 18)