RE: Storing doc pdfs within an application or database?

["Ramsdell, Scott" <Scott.Ramsdell () cellnethunt com>]

WALI,

This is an example of improper file level permissions.

It appears that the admins need to add a step when an employee arrives.
That step being to change the inherited permissions on the files.


Kind Regards,

Scott Ramsdell
CISSP CCNA MSCE



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of WALI
Sent: Sunday, January 20, 2008 10:41 AM
To: security-basics () securityfocus com
Subject: Storing doc pdfs within an application or database?

An in house developed application related to Human resources, developed 
using ASP (not asp.net) using Oracle 9i as backend, serves employees
payroll 
and tracks their development. Part of each of the employees HR homepage 
(viewable on the web browser)  pertains to storing their employment 
contract, their educational certificates, passport copies of their and
their 
family spouses etc., in either pdf or doc format.

These files (pdf and doc) are stored in a shared folder on the same
server 
hosting the application.

The problem is, there is 'security by obscurity' only. If I am savvy
enough 
to use an application proxy or even dig through my browser history, I
can 
find the whole URL relating to that document, as an example:
Visited: 
Administrator@http://abcint/Administration/Employment_Contract_HR2006/23
13441.pdf

where, 'abcint' is the Netbios name of the server and starting 
'Administration' onwards is the webshare on the same server.

2313441.pdf is my employment contract number where the series of number
is 
easily identifiable for it's my employee ID too.

Now, I can change that serial and *poof*, get to see any other pdf too, 
relating to another employee.

How do you guys take care of such authorisation/aunthentication
mechanism 
when it comes to pdf/doc files that are not residing within a database?