Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Securing file access

from [PD9 Software] Network Security [Permanent Link]
Subject: Re: Securing file access
Date: Tue, 28 Sep 2004 08:55:57 -0500 
John M. L. wrote:

In order to access the files, the database
would link a file to a unique id, so a page that validates the user would
then give access to the file stored outside of the www on the server.  Now,
this is where the real question lies.  How is this possible since the files
are not in a www accessible path

agree with this approach. 

The best way is to create a file that does two things:
1. Checks that the user is authenticated
2. Reads the file from the filesystem and hands it back to the client.

Typically I have accomplished this through reading the otherwise inaccessable file using either the FilesystemObject or ADO's Stream object, then using response.binarywrite to send it back to the browser.

While there are almost certainly other approaches that will work as well or better, I have done it this way in the past, and if you would like some sample ASP code to look over, I can send it to you off the list.


--
Matt Summers
PD9 Software, Inc 

 http://www.pd9hosting.com / Hosting & Design
 http://www.pd9soft.com

4520 Moorfield Ln
Fort Wayne, IN 46816
(815)642-9367 - Fax



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  WashDC - OWASP Meeting this Thurs (6PM in Columbia MD), Jeff Williams
Next by Date:  RE: XSS, SQL injection etc - permutations of input strings, focus
Previous by Thread:  RE: Securing file access, Koen Vingerhoets
Next by Thread:  Re: Securing file access, Ben Timby
Indexes:  [Date] [Thread] [Top] [All Lists]