Jump to content


Photo

Security and PDF files

pdf security

  • Please log in to reply
2 replies to this topic

#1 sf_guy

sf_guy

    Member

  • Members
  • PipPip
  • 23 posts

Posted 17 May 2013 - 11:38 AM

All of my PHP files are secured by session checks, but I've found a possible security problem and am looking for ideas of how to fix it.

 

Several of my PHP pages are custom built by the end user dropping files into a directory (write access to this directory is restricted).

 

My PHP code recursively walks through the directory and builds links to all of the files there. It also strips the extension. The users give the files logical names so the links look good.

 

For example, if they put "How to Fish.docx" into the subdirectory "Fishing" the end HTML code, generated by PHP will look something like this:

<h3>Fishing</h3>
<a href="How%20to%20Fish.docx" target="_blank">How to 
Fish</a><br>

etc.

 

The security problem is that they can now make a direct link to the "How to Fish" document and save it as a favorite and bypass all security checking done by the PHP pages.

 

Is it possible to write some type of "trigger" code that will launch the PHP login page whenever a user tries to access a page in a certain directory? I've seen web sites that do this, but am not quite sure how.

 

Is there another, simpler solution? Thanks!


Edited by sf_guy, 17 May 2013 - 11:51 AM.


#2 requinix

requinix

    Transforming Moderator

  • Moderators
  • 6,151 posts
  • LocationWA

Posted 17 May 2013 - 12:20 PM

Move the files someplace not web accessible and then make a PHP script which reads and outputs them.
<a href="download.php?file=How%20to%20Fish.docx" target="_blank">How to Fish</a>
Be sure to validate that file name: doesn't contain any directory information, file exists, etc. readfile is one way to output them, as in
header("Content-Type: application/octet-stream");
header("Content-Length: " . filesize($file));
header("Content-Disposition: attachment; filename=\"" . basename($file) . "\"");
readfile($file);
Once that's done you can make the URLs look nicer (if that's a concern) with URL rewriting.

#3 ignace

ignace

    Now mod flavored

  • Moderators
  • 6,253 posts
  • LocationBelgium

Posted 18 May 2013 - 02:06 AM

Be sure to validate that file name: doesn't contain any directory information, file exists, etc. readfile is one way to output them


By that he means make sure the following and any derivatives thereof does not work:
 
download.php?file=download.php <-- should NOT work
The reason being that it could compromise your website and allow hackers to download sensitive information.

Edited by ignace, 18 May 2013 - 02:09 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com