WebApp Sec mailing list archives
RE: Securing file access
From: Bénoni MARTIN <Benoni.MARTIN () libertis ga>
Date: Tue, 28 Sep 2004 10:17:39 +0100
Ha, you're in the same case than me, I had to deal with IIS :( ! Well, maybe I did not understood very well your trouble, but what about this: - Setting up a directory containing the PDFs files (let's say 20 files), disable this directory browsing ability of course :) - In your DB (you've got MS Access, I use MS SQL Server or MySQL, but it's still SQL :) ), have as many lines as there are users, and lines should be like this: login + password + page name to get if authentication successful - In the page, list all the files that the user can access. So, he/she will just can download what is proposed ... The trouble remains the page, of course :). So: Let's have a table in your database like this: login pass 1,5,9,12,... where 1,5,9,12,... are numbers indicating what files you allow the user to download. You will need then to setup another table in your DB with lines like this (to connect the numbers to the real files names): 1 name-file_1 2 name-file_2 3 name-file_1 4 name-file_4 ... Then you just need a unique page, and when the user authenticates, it will display antomacically the files names you allowed him to download ... PS: MD5 is somewhat weak, what about using SHA-256 ? I can send you the sha256.asp file, and tell you how to use it, quite easy ... C0rt0W1nch -----Message d'origine----- De : news [mailto:news () sea gmane org] De la part de John M. L. Envoyé : lundi 27 septembre 2004 16:57 À : webappsec () securityfocus com Objet : Securing file access I have a project that involves a members only area on web page on IIS. The members' only area is secured by a database (MS Access) so users are authenticated by their name and some MD5 hash etc. I need to allow files (mostly PDFs) for download to authenticated users only. In my opinion this means that the files can not be stored in any www accessible folder (regardless of any renaming convention etc, I absolutely cannot have someone guess a file name to download). In order to access the files, the database would link a file to a unique id, so a page that validates the user would then give access to the file stored outside of the www on the server. Now, this is where the real question lies. How is this possible since the files are not in a www accessible path, since a mere link to a file won't due. Any thoughts would be welcome. If I'm going about this completely wrong that would be nice to no too :) Forgive me if the answer is simple, I'm a Linux fan and haven't used IIS etc for years. One more note: IIS, MS Access and VBScript are not my technologies of choice, but merely what I was given to work with. I also have very limited control over administering IIS. John www.recaffeinated.com
Current thread:
- Re: Securing file access, (continued)
- Re: Securing file access Jason Merriman (Sep 29)
- Re: Securing file access Ian (Sep 29)
- Re: Securing file access Subs (Sep 30)
- RE: Securing file access Koen Vingerhoets (Sep 29)
- Re: Securing file access PD9 Software (Sep 29)
- Re: Securing file access Ben Timby (Sep 29)
- Re: Securing file access robbin (Sep 30)
- Re: Securing file access James Barkley (Sep 30)
- Re: Securing file access robbin (Sep 28)
- Re: Securing file access Ido Rosen (Sep 29)
- RE: Securing file access Bénoni MARTIN (Sep 28)
- RE: Securing file access Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Sep 29)
- RE: Securing file access Booth, Simon (Sep 29)
- RE: Securing file access Shields, Larry (Sep 29)
- RE: Securing file access Beckner, Chad A (Sep 30)