Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Securing file access

from [Subs] Network Security [Permanent Link]
Subject: Re: Securing file access
Date: Wed, 29 Sep 2004 11:22:58 -0700 
  Or in PHP which works just fine on IIS (even with forward slashes :)

function send_file($path, $name} {
  if(!$fp = fopen($path. $name, 'rb'))
    die('Unable to open '. $name);
  header('Content-Type: application/pdf');
  header('Content-Length: '. filesize($name));
  fpassthru($fp);
  exit;
  }

send_file('/some/non/www/path', 'mysecret.pdf');

On 27 Sep 2004 at 11:57, John M. L. wrote:

> I have a project that involves a members only area on web page on IIS.
> The members' only area is secured by a database (MS Access) so users are
> authenticated by their name and some MD5 hash etc. I need to allow files
> (mostly PDFs) for download to authenticated users only. In my opinion this
> means that the files can not be stored in any www accessible folder
> (regardless of any renaming convention etc, I absolutely cannot have someone
> guess a file name to download). In order to access the files, the database
> would link a file to a unique id, so a page that validates the user would
> then give access to the file stored outside of the www on the server. Now,
> this is where the real question lies. How is this possible since the files
> are not in a www accessible path, since a mere link to a file won't due.
> Any thoughts would be welcome. If I'm going about this completely wrong
> that would be nice to no too :) Forgive me if the answer is simple, I'm a
> Linux fan and haven't used IIS etc for years.
> One more note: IIS, MS Access and VBScript are not my technologies of
> choice, but merely what I was given to work with. I also have very limited
> control over administering IIS.
>
> John
> www.recaffeinated.com
>
Hi John,

You are going about this the right way.

Store the PDFs outside the www root, but still give the user ISR_<computer name>
permission to read the files ( or whatever user your site is running under). Once the
web user has authenticated, your script can read the PDF into memory then stream
the file to the user. A simple example is below:

<%

set fs=server.createobject("Scripting.filesystem")

set PDFin=fs.opentextfile(pathtoPDF,1,false)
PDF=PDFin.readall
PDFin.close
set PDFin=nothing

Response.contenttype="application/pdf"

resonse.binarywrite StrToBin(PDF)

response.end

function StrToBin(str)
        for x=1 to Len(str)
                StrToBin=StrToBin & ChrB(Asc(Mid(str,x,1)))
        next
end function

%>

You may not need to use the StrToBin function - I can't remember off the top of my
head ;)

Regards

Ian
--

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: XSS, SQL injection etc - permutations of input strings, Shields, Larry
Next by Date:  RE: Hacking/security in main-stream media, Levenglick, Jeff
Previous by Thread:  Re: Securing file access, Ian
Next by Thread:  RE: Securing file access, Koen Vingerhoets
Indexes:  [Date] [Thread] [Top] [All Lists]