WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Securing file access

From: "Calderon, Juan Carlos (GE Commercial Finance, NonGE)" <juan.calderon () ge com>
Date: Wed, 29 Sep 2004 13:57:53 -0400
a better way?

http://support.microsoft.com/default.aspx?scid=KB%3BEN-US%3BQ276488

Cheers

-----Original Message-----
From: Ian [mailto:webappsec2 () fishnet co uk]
Sent: Martes, 28 de Septiembre de 2004 04:05 a.m.
To: John M. L.; webappsec () securityfocus com
Subject: Re: Securing file access


On 27 Sep 2004 at 11:57, John M. L. wrote:


I have a project that involves a members only area on web page on IIS.
The members' only area is secured by a database (MS Access) so users are
authenticated by their name and some MD5 hash etc.  I need to allow files
(mostly PDFs) for download to authenticated users only.  In my opinion this
means that the files can not be stored in any www accessible folder
(regardless of any renaming convention etc, I absolutely cannot have someone
guess a file name to download).  In order to access the files, the database
would link a file to a unique id, so a page that validates the user would
then give access to the file stored outside of the www on the server.  Now,
this is where the real question lies.  How is this possible since the files
are not in a www accessible path, since a mere link to a file won't due.
Any thoughts would be welcome.  If I'm going about this completely wrong
that would be nice to no too :)  Forgive me if the answer is simple, I'm a
Linux fan and haven't used IIS etc for years.
One more note: IIS, MS Access and VBScript are not my technologies of
choice, but merely what I was given to work with.  I also have very limited
control over administering IIS.

John
www.recaffeinated.com


Hi John,

You are going about this the right way.

Store the PDFs outside the www root, but still give the user ISR_<computer name> 
permission to read the files ( or whatever user your site is running under).  Once the 
web user has authenticated, your script can read the PDF into memory then stream 
the file to the user.  A simple example is below:

<%

set fs=server.createobject("Scripting.filesystem")

set PDFin=fs.opentextfile(pathtoPDF,1,false)
PDF=PDFin.readall
PDFin.close
set PDFin=nothing

Response.contenttype="application/pdf"

resonse.binarywrite StrToBin(PDF)

response.end

function StrToBin(str)
        for x=1 to Len(str)
                StrToBin=StrToBin & ChrB(Asc(Mid(str,x,1)))
        next
end function

%>

You may not need to use the StrToBin function - I can't remember off the top of my 
head ;)

Regards

Ian
--
Previous By Date Next
Previous By Thread Next

Current thread: