RE: Controlling access to pdf/doc files

["Scovetta, Michael V" <Michael.Scovetta () ca com>]

Sangita,
  Having your customer's statements available as .doc files, sitting
in a directory, random number or no, is (IMHO) a Bad Idea. Static content
is one thing, and dynamic is another. Keep them separated in your app.
Generate the PDF/DOC/whatever on the fly at the time of the request.

If that isn't an available option (you get a  feed of .doc files or
something), then architect it as such: Have an authentication layer in
your application server ("Who is the client? Oh, he's Mike.") Then you
need logic to say, "What document can Mike access?" Maybe it's just
[Mike's account number].doc. Check to make sure that the requested
document is one that Mike can access-- and then just stream the contents
to him (from the file).

In Java/JSP/Tomcat/JBoss/etc it's pretty easy:
1. open the file
2. response.setContentType("application/word") or something like that
3. read bytes from file
   write bytes to output stream going to client

It's similarly easy using ASP/CGI/whatever

You can also grow your own "security realm" in JBoss/Tomcat and use that
to abstract the decision process, but it's not very complicated to
begin with.

You should not rely on any underlying O/S authentication (like NTLM
on Windows servers) because (a) too hard to administer, and (b) firewalls
will screw with that kind of data.

Finally, just for security sake, if you have all of these documents
on your server, make sure only the app server process has read access
to them-- Having them there in the first place is a kludge, but it's just
my opinion.
<end-rant>

Michael Scovetta



-----Original Message-----
From: Sangita Pakala [mailto:sangita.pakala () paladion net]
Sent: Tuesday, February 24, 2004 10:22 AM
To: webappsec () securityfocus com
Subject: Controlling access to pdf/doc files


Hi,

Could I have the list's thoughts on an answer we are preparing for the
next version of the AppSec FAQ at OWASP.
 
Question - How can I ensure my application allows only authenticated
users access to files like *.pdf or *.doc?

Issue - Suppose a web site, say a bank site, displays the user's account
statement as a .doc file. What if someone tries to access this file by
typing its full URL into the address bar? How does the application check
whether the user trying to access the file is the authenticated user and
that the session has not expired? 

Solution - One solution is to have a random number for the name of the
file or the folder containing it. This random number could even be
related to the session token of the user. This file/folder should then
be deleted as soon as the user's session has expired.

Are there better methods available to address this issue? Can the web
server run a server side program to verify the session token before
serving the final GET request for the file? 


Thanks,
Sangita.

OWASP AppSec FAQ
http://www.owasp.org/documentation/appsecfaq

Paladion Networks
http://www.paladion.net