Directly viewing unauthorised files by url

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
phase
Forum Newbie
Posts: 24
Joined: Sun Jul 18, 2004 10:47 am

Directly viewing unauthorised files by url

Post by phase »

Hello everyone.

I have a problem with my current project and i really hope someone could shed some light on how to rectify.

Currently i have a section for clients who can login and download files in a specific folder.

for example there will be 50 folders client_1 to client_50.

if their session userid once logged in is 1 then they have access to client_1 files and no other, this is all working fine from the interface side of things, however if client 1 wanted to view client 6's files, they can still do so by bypassing the website and entering a file url in directly...

i have secured the folder itself by .htacess so they cannot type in...
http://www.mysite.com/files/client_6/
that would redirect them back to an appropriate page.

but a direct url such as
http://www.mysite.com/files/client_6/image.jpg
would display the image.

What measures can i take to ensure this is no longer possible?

I would really appreciate some advice. Thanks all.

Phase
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Please show us your .htaccess file.
(#10850)
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

load the image inside your php script

psuedo code:

Code: Select all

if(session is valid && user is valid)
{
    readfile('image.jpg');
}
This way, you can store your images outside of the webroot so people can't access them through the direct url. Then you'd have a way of showing it to valid users by using the url image_validating_script.php?image=image.jpg
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
ok
Forum Contributor
Posts: 393
Joined: Wed May 31, 2006 9:20 am
Location: The Holy Land

Post by ok »

Moreover, you can store your files in your DB.
For example:
You create table which called "files" and 2 cols "file_name" and "file".
Then, you write a php script which gets the file_name, checks that the user is authorized, and then reads the content of "file" col from the table in you DB.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

DB seems overkill for serving files... Using PHP to redirect a file to a user makes far more sense.
Post Reply