WebApp Sec mailing list archives
Re: Controlling access to pdf/doc files
From: Blasted <blasted () tech9security com>
Date: Tue, 24 Feb 2004 17:10:53 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You could just have the application, for example if it was in php, open (fopen()) the file (which is stored outside the webroot), then print some headers for content type etc, and have it spit out (fpassthru()) the file. Then you would check the session etc as normal within the script/application. The user would see it as if they downloaded the file directly, but no one could access the file directly. - -david On Tuesday 24 February 2004 09:21, Sangita Pakala wrote:
Hi, Could I have the list's thoughts on an answer we are preparing for the next version of the AppSec FAQ at OWASP. Question - How can I ensure my application allows only authenticated users access to files like *.pdf or *.doc? Issue - Suppose a web site, say a bank site, displays the user's account statement as a .doc file. What if someone tries to access this file by typing its full URL into the address bar? How does the application check whether the user trying to access the file is the authenticated user and that the session has not expired? Solution - One solution is to have a random number for the name of the file or the folder containing it. This random number could even be related to the session token of the user. This file/folder should then be deleted as soon as the user's session has expired. Are there better methods available to address this issue? Can the web server run a server side program to verify the session token before serving the final GET request for the file? Thanks, Sangita. OWASP AppSec FAQ http://www.owasp.org/documentation/appsecfaq Paladion Networks http://www.paladion.net
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQFAO9n9Giw6ooXcmeARAj64AJ4soJd5ZNmPsa6WP/hAy+OMAGK/MgCeJp7X Hvgvv8y5sCcgpTiIT7A0DJ0= =Fz8N -----END PGP SIGNATURE-----
Current thread:
- Controlling access to pdf/doc files Sangita Pakala (Feb 24)
- Re: Controlling access to pdf/doc files Blasted (Feb 24)
- Re: Controlling access to pdf/doc files Suresh Prabhu (Feb 26)
- Re: Controlling access to pdf/doc files chasd (Feb 26)
- Re: Controlling access to pdf/doc files lists AT dawes DOT za DOT net (Feb 26)
- RE: Controlling access to pdf/doc files Paulus Widodo (Feb 26)
- <Possible follow-ups>
- Re: Controlling access to pdf/doc files Jed Holler (Feb 25)
- RE: Controlling access to pdf/doc files Scovetta, Michael V (Feb 25)
- RE: Controlling access to pdf/doc files GRIFFITHS ian (Feb 25)
- RE: Controlling access to pdf/doc files Alistair Meikle (Feb 26)
- Re: Controlling access to pdf/doc files Mark Curphey (Feb 26)
- RE: Controlling access to pdf/doc files Sangita Pakala (Feb 28)
(Thread continues...)