Page 1 of 2
URL Security
Posted: Wed Feb 18, 2009 4:41 am
by rashmisharma
Hello!
I have a serious security issue. Suppose my site URL is
http://www.abc.com
Now I have a secure admin panel folder xyz in it and ant this folder contains a subfolder where I storing the uploaded .pdf files and only after providing a valid username & password one can download these pdfs.
But if user types the direct URL in browser
http://www.abc.com/xyz/pdfFolder/filename.pdf
Then he easily access that pdf without any authentication.
And also Google fetch that path and shows pdf files directly.
Please help me. I had searched a lot on it but don’t find any solution.
Everywhere I found .htaccess file as a solution but if I do that then I wont b able to download that file even after authentication, it says a corrupted pdf file.
Its Really very urgent!
Thanks for any help in advance.

Re: URL Security
Posted: Wed Feb 18, 2009 4:55 am
by Apollo
.htaccess doesn't change anything about your file. You can either download it, or you can't (if you don't enter a valid login and password).
Most likely you messed up somewhere in the .htaccess file. Can you post its contents?
Re: URL Security
Posted: Wed Feb 18, 2009 4:58 am
by rashmisharma
right now i m not using any .htaccess file.
i want to know how do i protect direct access to my URL.
but the same must be accessible if someone try to access it after authentication
Re: URL Security
Posted: Wed Feb 18, 2009 5:36 am
by Oxidiser
One way would be to use a .htaccess file to redirect all requests to your pdf directory to a php file.
This file would then handle the authentication, and if authenticated, set the correct haeders and send off the pdf file. This way you can keep the authentication to your application instead of a .htpasswd file.
.htaccess for your pdf directory:
Code: Select all
RewriteEngine on
RewriteRule (.*) /downloadpdf.php?url=/$1 [QSA,PT]
Your downloadpdf.php handler:
Code: Select all
<?php
// Do some authentication checking....
// exit script if not authenticated or continu script.
// Get the filename.
$file = $_GET['url'];
// Set the path on your server to your file.
$pathToFile = 'your/path/to/file/'.$file;
// Open the file in a binary mode.
$file = fopen($pathToFile, 'r');
// Send the right headers.
header("Content-Type: application/pdf");
header("Content-Length: " . filesize($pathToFile));
// Dump the file and stop the script
fpassthru($file);
Re: URL Security
Posted: Wed Feb 18, 2009 5:39 am
by Apollo
See
this or
this post.
Oxidiser's approach above is also possible, but slightly different. It does the authentication (access protection) in php, rather than .htaccess. It just uses .htaccess to make sure the file is always downloaded through the protective php script.
Be aware though that this approach may be more vulnerable to security mistakes. For example, what happens if someone tries to download
http://yoursite.com/pdf/../downloadpdf.php to get a peek inside your security measures?
Re: URL Security
Posted: Wed Feb 18, 2009 5:43 am
by rashmisharma
[quote="Oxidiser"]One way would be to use a .htaccess file to redirect all requests to your pdf directory to a php file.
This file would then handle the authentication, and if authenticated, set the correct haeders and send off the pdf file.
.htaccess for your pdf directory:
Code: Select all
RewriteEngine on
RewriteRule (.*) /downloadpdf.php?url=/$1 [QSA,PT]
hmm
I m not able to understand the following line
RewriteRule (.*) /downloadpdf.php?url=/$1 [QSA,PT]
here what is
url=/$1 [QSA,PT]
Re: URL Security
Posted: Wed Feb 18, 2009 5:53 am
by Oxidiser
That line essentially puts the initial request url into an url parameter in the request superglobal of the php script, so you can use it in your script to see which file was requested.
And yes, you should cover all your bases in the security check. Lock it to your pdf directory so no one can request other files than the pdf's for example.
Re: URL Security
Posted: Wed Feb 18, 2009 6:03 am
by rashmisharma
i m doing d same thing but not able to correct the things
my download.php is like
Code: Select all
$dir="http://www.abc.com/xyz/pdfFolder/";
if (isset($_REQUEST['file'])) {
$file=$dir.$_REQUEST['file'];
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
else
{
echo "No file found";
}
and my .htaccess file is like
Code: Select all
RewriteEngine on
RewriteRule (.*) /download.php?file=/$1 [QSA,PT]
Re: URL Security
Posted: Wed Feb 18, 2009 6:05 am
by rashmisharma
Apollo wrote:See
this or
this post.
Oxidiser's approach above is also possible, but slightly different. It does the authentication (access protection) in php, rather than .htaccess. It just uses .htaccess to make sure the file is always downloaded through the protective php script.
Be aware though that this approach may be more vulnerable to security mistakes. For example, what happens if someone tries to download
http://yoursite.com/pdf/../downloadpdf.php to get a peek inside your security measures?
if use this kind of password protection than how i users from which r registering from my site are able to access that pdf?
Re: URL Security
Posted: Wed Feb 18, 2009 6:45 am
by Oxidiser
I don't understand the question, can you rephrase?
Re: URL Security
Posted: Wed Feb 18, 2009 6:52 am
by rashmisharma
My .htaccess code is :
Code: Select all
Redirect /xyz/pdfFolder/ http://www.abc.com/download.php?file=
now if i m using this code then everything goes fine but it shows a message currupted pdf and dont open it. is i missed something?
my download.php is :
Code: Select all
$dir="http://www.abc.com/xyz/pdfFolder/";
if (isset($_REQUEST['file'])) {
$file=$dir.$_REQUEST['file'];
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
else
{
echo "No file found";
}
Re: URL Security
Posted: Wed Feb 18, 2009 7:02 am
by Oxidiser
Well, it could be that your path to the file is not correct. It will not display any output in a regular way. So
would not show unless you open the file you got, with notepad or a similair text editor to see what's inside.
Re: URL Security
Posted: Wed Feb 18, 2009 1:57 pm
by kaisellgren
rashmisharma wrote:My .htaccess code is :
Code: Select all
Redirect /xyz/pdfFolder/ http://www.abc.com/download.php?file=
now if i m using this code then everything goes fine but it shows a message currupted pdf and dont open it. is i missed something?
my download.php is :
Code: Select all
$dir="http://www.abc.com/xyz/pdfFolder/";
if (isset($_REQUEST['file'])) {
$file=$dir.$_REQUEST['file'];
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: ' . filesize($file));
ob_clean();
flush();
readfile($file);
exit;
}
else
{
echo "No file found";
}
No.
Storing the files in a public directory does not make sense. Put them outside the document root.
Do you know what might happen if I try to enter this URL:
http://www.abc.com/download.php?file=.. ... etc/passwd ? Or anything else like download.php?file=index.php
If you protect the download script so that only admins are allowed to download files, then obviously no one else can traverse through your directories like that than admins. Still, you should fix that hole.
Re: URL Security
Posted: Wed Feb 18, 2009 11:20 pm
by rashmisharma
how do i protect my download.php? if i put it outside my root folder than how will i access it?
while using .download.php file i m getting following following error
Code: Select all
<br />
<b>Warning</b>: filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at
<br />
<b>Warning</b>: readfile() [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in <b> on line <b>46</b><br />
Re: URL Security
Posted: Thu Feb 19, 2009 7:03 am
by kaisellgren
rashmisharma wrote:how do i protect my download.php? if i put it outside my root folder than how will i access it?
while using .download.php file i m getting following following error
Code: Select all
<br />
<b>Warning</b>: filesize() [<a href='function.filesize'>function.filesize</a>]: stat failed for
<b>Warning</b>: Cannot modify header information - headers already sent by (output started at
<br />
<b>Warning</b>: readfile() [<a href='function.readfile'>function.readfile</a>]: failed to open stream: No such file or directory in <b> on line <b>46</b><br />
You do not put download.php outside the document root, you put the files outside the document root.
Your script is unable to locate the file, it seems.