sf_guy Posted May 17, 2013 Share Posted May 17, 2013 (edited) All of my PHP files are secured by session checks, but I've found a possible security problem and am looking for ideas of how to fix it. Several of my PHP pages are custom built by the end user dropping files into a directory (write access to this directory is restricted). My PHP code recursively walks through the directory and builds links to all of the files there. It also strips the extension. The users give the files logical names so the links look good. For example, if they put "How to Fish.docx" into the subdirectory "Fishing" the end HTML code, generated by PHP will look something like this: <h3>Fishing</h3> <a href="How%20to%20Fish.docx" target="_blank">How to Fish</a><br> etc. The security problem is that they can now make a direct link to the "How to Fish" document and save it as a favorite and bypass all security checking done by the PHP pages. Is it possible to write some type of "trigger" code that will launch the PHP login page whenever a user tries to access a page in a certain directory? I've seen web sites that do this, but am not quite sure how. Is there another, simpler solution? Thanks! Edited May 17, 2013 by sf_guy Quote Link to comment Share on other sites More sharing options...
requinix Posted May 17, 2013 Share Posted May 17, 2013 Move the files someplace not web accessible and then make a PHP script which reads and outputs them. <a href="download.php?file=How%20to%20Fish.docx" target="_blank">How to Fish</a>Be sure to validate that file name: doesn't contain any directory information, file exists, etc. readfile is one way to output them, as in header("Content-Type: application/octet-stream"); header("Content-Length: " . filesize($file)); header("Content-Disposition: attachment; filename=\"" . basename($file) . "\""); readfile($file);Once that's done you can make the URLs look nicer (if that's a concern) with URL rewriting. Quote Link to comment Share on other sites More sharing options...
ignace Posted May 18, 2013 Share Posted May 18, 2013 (edited) Be sure to validate that file name: doesn't contain any directory information, file exists, etc. readfile is one way to output them By that he means make sure the following and any derivatives thereof does not work: download.php?file=download.php <-- should NOT workThe reason being that it could compromise your website and allow hackers to download sensitive information. Edited May 18, 2013 by ignace Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.