URL Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

rashmisharma
Forum Newbie
Posts: 11
Joined: Wed Feb 18, 2009 4:27 am

URL Security

Post by rashmisharma »

Hello!
I have a serious security issue. Suppose my site URL is http://www.abc.com
Now I have a secure admin panel folder xyz in it and ant this folder contains a subfolder where I storing the uploaded .pdf files and only after providing a valid username & password one can download these pdfs.
But if user types the direct URL in browser http://www.abc.com/xyz/pdfFolder/filename.pdf
Then he easily access that pdf without any authentication.
And also Google fetch that path and shows pdf files directly.

Please help me. I had searched a lot on it but don’t find any solution.
Everywhere I found .htaccess file as a solution but if I do that then I wont b able to download that file even after authentication, it says a corrupted pdf file.

Its Really very urgent!
Thanks for any help in advance. :banghead:
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: URL Security

Post by Apollo »

.htaccess doesn't change anything about your file. You can either download it, or you can't (if you don't enter a valid login and password).

Most likely you messed up somewhere in the .htaccess file. Can you post its contents?
rashmisharma
Forum Newbie
Posts: 11
Joined: Wed Feb 18, 2009 4:27 am

Re: URL Security

Post by rashmisharma »

right now i m not using any .htaccess file.
i want to know how do i protect direct access to my URL.
but the same must be accessible if someone try to access it after authentication
Oxidiser
Forum Newbie
Posts: 15
Joined: Wed Feb 18, 2009 5:00 am
Location: The Netherlands

Re: URL Security

Post by Oxidiser »

One way would be to use a .htaccess file to redirect all requests to your pdf directory to a php file.
This file would then handle the authentication, and if authenticated, set the correct haeders and send off the pdf file. This way you can keep the authentication to your application instead of a .htpasswd file.

.htaccess for your pdf directory:

Code: Select all

 
RewriteEngine on
RewriteRule (.*) /downloadpdf.php?url=/$1 [QSA,PT]
 
Your downloadpdf.php handler:

Code: Select all

 
<?php
// Do some authentication checking....
// exit script if not authenticated or continu script.
 
// Get the filename.
$file = $_GET['url'];
// Set the path on your server to your file.
$pathToFile = 'your/path/to/file/'.$file;
// Open the file in a binary mode.
$file = fopen($pathToFile, 'r');
// Send the right headers.
header("Content-Type: application/pdf");
header("Content-Length: " . filesize($pathToFile));
// Dump the file and stop the script
fpassthru($file);
 
Last edited by Oxidiser on Wed Feb 18, 2009 5:40 am, edited 2 times in total.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: URL Security

Post by Apollo »

See this or this post.

Oxidiser's approach above is also possible, but slightly different. It does the authentication (access protection) in php, rather than .htaccess. It just uses .htaccess to make sure the file is always downloaded through the protective php script.

Be aware though that this approach may be more vulnerable to security mistakes. For example, what happens if someone tries to download http://yoursite.com/pdf/../downloadpdf.php to get a peek inside your security measures?
Last edited by Apollo on Wed Feb 18, 2009 5:45 am, edited 2 times in total.
rashmisharma
Forum Newbie
Posts: 11
Joined: Wed Feb 18, 2009 4:27 am

Re: URL Security

Post by rashmisharma »

[quote="Oxidiser"]One way would be to use a .htaccess file to redirect all requests to your pdf directory to a php file.
This file would then handle the authentication, and if authenticated, set the correct haeders and send off the pdf file.

.htaccess for your pdf directory:

Code: Select all

 
RewriteEngine on
RewriteRule (.*) /downloadpdf.php?url=/$1 [QSA,PT]
 
hmm
I m not able to understand the following line
RewriteRule (.*) /downloadpdf.php?url=/$1 [QSA,PT]
here what is url=/$1 [QSA,PT]
Oxidiser
Forum Newbie
Posts: 15
Joined: Wed Feb 18, 2009 5:00 am
Location: The Netherlands

Re: URL Security

Post by Oxidiser »

That line essentially puts the initial request url into an url parameter in the request superglobal of the php script, so you can use it in your script to see which file was requested.

And yes, you should cover all your bases in the security check. Lock it to your pdf directory so no one can request other files than the pdf's for example.
rashmisharma
Forum Newbie
Posts: 11
Joined: Wed Feb 18, 2009 4:27 am

Re: URL Security

Post by rashmisharma »

i m doing d same thing but not able to correct the things
my download.php is like

Code: Select all

 
$dir="http://www.abc.com/xyz/pdfFolder/";
if (isset($_REQUEST['file'])) { 
$file=$dir.$_REQUEST['file'];
 
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
else
{
echo "No file found";
}
 

and my .htaccess file is like

Code: Select all

RewriteEngine on
RewriteRule (.*) /download.php?file=/$1 [QSA,PT]
rashmisharma
Forum Newbie
Posts: 11
Joined: Wed Feb 18, 2009 4:27 am

Re: URL Security

Post by rashmisharma »

Apollo wrote:See this or this post.

Oxidiser's approach above is also possible, but slightly different. It does the authentication (access protection) in php, rather than .htaccess. It just uses .htaccess to make sure the file is always downloaded through the protective php script.

Be aware though that this approach may be more vulnerable to security mistakes. For example, what happens if someone tries to download http://yoursite.com/pdf/../downloadpdf.php to get a peek inside your security measures?

if use this kind of password protection than how i users from which r registering from my site are able to access that pdf?
Oxidiser
Forum Newbie
Posts: 15
Joined: Wed Feb 18, 2009 5:00 am
Location: The Netherlands

Re: URL Security

Post by Oxidiser »

I don't understand the question, can you rephrase?
rashmisharma
Forum Newbie
Posts: 11
Joined: Wed Feb 18, 2009 4:27 am

Re: URL Security

Post by rashmisharma »

My .htaccess code is :

Code: Select all

 
Redirect /xyz/pdfFolder/ http://www.abc.com/download.php?file=
 
now if i m using this code then everything goes fine but it shows a message currupted pdf and dont open it. is i missed something?

my download.php is :

Code: Select all

 
$dir="http://www.abc.com/xyz/pdfFolder/";
if (isset($_REQUEST['file'])) { 
$file=$dir.$_REQUEST['file'];
 
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
else
{
echo "No file found";
}
 
Oxidiser
Forum Newbie
Posts: 15
Joined: Wed Feb 18, 2009 5:00 am
Location: The Netherlands

Re: URL Security

Post by Oxidiser »

Well, it could be that your path to the file is not correct. It will not display any output in a regular way. So

Code: Select all

echo "No file found";
would not show unless you open the file you got, with notepad or a similair text editor to see what's inside.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: URL Security

Post by kaisellgren »

rashmisharma wrote:My .htaccess code is :

Code: Select all

 
Redirect /xyz/pdfFolder/ http://www.abc.com/download.php?file=
 
now if i m using this code then everything goes fine but it shows a message currupted pdf and dont open it. is i missed something?

my download.php is :

Code: Select all

 
$dir="http://www.abc.com/xyz/pdfFolder/";
if (isset($_REQUEST['file'])) { 
$file=$dir.$_REQUEST['file'];
 
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
else
{
echo "No file found";
}
 
No.

Storing the files in a public directory does not make sense. Put them outside the document root.

Do you know what might happen if I try to enter this URL: http://www.abc.com/download.php?file=.. ... etc/passwd ? Or anything else like download.php?file=index.php

If you protect the download script so that only admins are allowed to download files, then obviously no one else can traverse through your directories like that than admins. Still, you should fix that hole.
rashmisharma
Forum Newbie
Posts: 11
Joined: Wed Feb 18, 2009 4:27 am

Re: URL Security

Post by rashmisharma »

how do i protect my download.php? if i put it outside my root folder than how will i access it?

while using .download.php file i m getting following following error

Code: Select all

 
<br />
<b>Warning</b>:  filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for 
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at 
<br />
<b>Warning</b>:  readfile() [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in <b> on line <b>46</b><br />
 
 
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: URL Security

Post by kaisellgren »

rashmisharma wrote:how do i protect my download.php? if i put it outside my root folder than how will i access it?

while using .download.php file i m getting following following error

Code: Select all

 
<br />
<b>Warning</b>:  filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for 
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at 
<br />
<b>Warning</b>:  readfile() [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in <b> on line <b>46</b><br />
 
 
You do not put download.php outside the document root, you put the files outside the document root.

Your script is unable to locate the file, it seems.
Post Reply