John,
One additional note: don't ever grant users access directly to the resource
(pdf). If they have access today, and get the link to it, and then are revoked
tomorrow, you need to prevent them from re-downloading the link that they have.
Instead of passing the user:
http://server/pdfs/abc.pdf
Push all processing through a separate page:
http://server/getPDF.asp?name=abc.pdf
The getPDF.asp page should be (essentially):
<%
' do authorization
IsAuthorized = calculateAuthorization(...)
If IsAuthorized Then
Response.ContentType = ...
Response.BinaryWrite(...)
Else
Response.Write("Nope.")
End If
%>
Michael Scovetta
-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN@libertis.ga]
Sent: Tuesday, September 28, 2004 5:18 AM
To: John M. L.; webappsec@securityfocus.com
Subject: RE: Securing file access
Ha, you're in the same case than me, I had to deal with IIS :( !
Well, maybe I did not understood very well your trouble, but what about this:
- Setting up a directory containing the PDFs files (let's say 20
files), disable this directory browsing ability of course :)
- In your DB (you've got MS Access, I use MS SQL Server or MySQL, but
it's still SQL :) ), have as many lines as there are users, and lines should be
like this: login + password + page name to get if authentication successful
- In the page, list all the files that the user can access. So, he/she
will just can download what is proposed ...
The trouble remains the page, of course :). So:
Let's have a table in your database like this:
login pass 1,5,9,12,...
where 1,5,9,12,... are numbers indicating what files you allow the user
to download.
You will need then to setup another table in your DB with lines like
this (to connect the numbers to the real files names):
1 name-file_1
2 name-file_2
3 name-file_1
4 name-file_4
...
Then you just need a unique page, and when the user authenticates, it
will display antomacically the files names you allowed him to download ...
PS: MD5 is somewhat weak, what about using SHA-256 ? I can send you the
sha256.asp file, and tell you how to use it, quite easy ...
C0rt0W1nch
-----Message d'origine-----
De : news [mailto:news@sea.gmane.org] De la part de John M. L.
Envoyé : lundi 27 septembre 2004 16:57
À : webappsec@securityfocus.com
Objet : Securing file access
I have a project that involves a members only area on web page on IIS.
The members' only area is secured by a database (MS Access) so users are
authenticated by their name and some MD5 hash etc. I need to allow files
(mostly PDFs) for download to authenticated users only. In my opinion this
means that the files can not be stored in any www accessible folder (regardless
of any renaming convention etc, I absolutely cannot have someone guess a file
name to download). In order to access the files, the database would link a
file to a unique id, so a page that validates the user would then give access
to the file stored outside of the www on the server. Now, this is where the
real question lies. How is this possible since the files are not in a www
accessible path, since a mere link to a file won't due.
Any thoughts would be welcome. If I'm going about this completely wrong that
would be nice to no too :) Forgive me if the answer is simple, I'm a Linux fan
and haven't used IIS etc for years.
One more note: IIS, MS Access and VBScript are not my technologies of choice,
but merely what I was given to work with. I also have very limited control
over administering IIS.
John
www.recaffeinated.com
