RE: Securing file access

["Scovetta, Michael V" <Michael.Scovetta () ca com>]

John,

One additional note: don't ever grant users access directly to the resource 
(pdf). If they have access today, and get the link to it, and then are revoked tomorrow, you need to prevent them from 
re-downloading the link that they have. Instead of passing the user:
        http://server/pdfs/abc.pdf
Push all processing through a separate page:
        http://server/getPDF.asp?name=abc.pdf

The getPDF.asp page should be (essentially):
<%
        ' do authorization
      IsAuthorized = calculateAuthorization(...)

        If IsAuthorized Then
                Response.ContentType = ...
                Response.BinaryWrite(...)
        Else
                Response.Write("Nope.")
        End If
%>

Michael Scovetta

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] 
Sent: Tuesday, September 28, 2004 5:18 AM
To: John M. L.; webappsec () securityfocus com
Subject: RE: Securing file access

Ha, you're in the same case than me, I had to deal with IIS :( !

Well, maybe I did not understood very well your trouble, but what about this:
        - Setting up a directory containing the PDFs files (let's say 20 files), disable this directory browsing 
ability of course :)
        - In your DB (you've got MS Access, I use MS SQL Server or MySQL, but it's still SQL :) ), have as many lines 
as there are users, and lines should be like this: login + password + page name to get if authentication successful
        - In the page, list all the files that the user can access. So, he/she will just can download what is proposed 
...

The trouble remains the page, of course :). So:
        Let's have a table in your database like this:
                login    pass    1,5,9,12,...
        where 1,5,9,12,... are numbers indicating what files you allow the user to download.
        You will need then to setup another table in your DB with lines like this (to connect the numbers to the real 
files names):
                1       name-file_1
                2       name-file_2
                3       name-file_1
                4       name-file_4
                ...
        Then you just need a unique page, and when the user authenticates, it will display antomacically the files 
names you allowed him to download ...

PS: MD5 is somewhat weak, what about using SHA-256 ? I can send you the sha256.asp file, and tell you how to use it, 
quite easy ...

C0rt0W1nch


-----Message d'origine-----
De : news [mailto:news () sea gmane org] De la part de John M. L.
Envoyé : lundi 27 septembre 2004 16:57
À : webappsec () securityfocus com
Objet : Securing file access

I have a project that involves a members only area on web page on IIS.
The members' only area is secured by a database (MS Access) so users are authenticated by their name and some MD5 hash 
etc.  I need to allow files (mostly PDFs) for download to authenticated users only.  In my opinion this means that the 
files can not be stored in any www accessible folder (regardless of any renaming convention etc, I absolutely cannot 
have someone guess a file name to download).  In order to access the files, the database would link a file to a unique 
id, so a page that validates the user would then give access to the file stored outside of the www on the server.  Now, 
this is where the real question lies.  How is this possible since the files are not in a www accessible path, since a 
mere link to a file won't due.
Any thoughts would be welcome.  If I'm going about this completely wrong that would be nice to no too :)  Forgive me if 
the answer is simple, I'm a Linux fan and haven't used IIS etc for years.
One more note: IIS, MS Access and VBScript are not my technologies of choice, but merely what I was given to work with. 
 I also have very limited control over administering IIS.

John
www.recaffeinated.com