Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







WebApp Sec: RE: Controlling access to pdf/doc files

RE: Controlling access to pdf/doc files

From: Sangita Pakala <sangita.pakala_at_paladion.net>
Date: Sat, 28 Feb 2004 18:49:29 +0530

Hi All,

Thanks a lot for all those ideas that we received on and off the list.

The best way to handle this issue seems to be by storing the file in the
database as a BLOB. Use data streams to display it on the browser after
checking that the user is an authenticated user and the session is
valid.

The other solutions involved placing the file outside the web root and
using file system permissions or authorization modules or generating the
files on the fly.

Thanks,
Sangita.

OWASP AppSec FAQ
http://www.owasp.org/documentation/appsecfaq

Paladion Networks
http://www.paladion.net

-----Original Message-----
From: Mark Curphey [mailto:mark_at_curphey.com]
Sent: Wednesday, February 25, 2004 2:50 AM
To: Sangita Pakala; webappsec_at_securityfocus.com
Subject: Re: Controlling access to pdf/doc files

Why does it need to be a file ?

I would approach this by storing the data in an object and streaming it
to the browser after having made an authorization check. Check the
session context, call the method and read the data from the users
object. Then stream it to the browser. No need to cache it in a file.
Bad for performance and security.

As always designing better solutions is cheaper than fixing bad ones ;-)

---- Sangita Pakala <sangita.pakala_at_paladion.net> wrote:
> Hi,
>
> Could I have the list's thoughts on an answer we are preparing for the
> next version of the AppSec FAQ at OWASP.
>
> Question - How can I ensure my application allows only authenticated
> users access to files like *.pdf or *.doc?
>
> Issue - Suppose a web site, say a bank site, displays the user's
account
> statement as a .doc file. What if someone tries to access this file by
> typing its full URL into the address bar? How does the application
check
> whether the user trying to access the file is the authenticated user
and
> that the session has not expired?
>
> Solution - One solution is to have a random number for the name of the
> file or the folder containing it. This random number could even be
> related to the session token of the user. This file/folder should then
> be deleted as soon as the user's session has expired.
>
> Are there better methods available to address this issue? Can the web
> server run a server side program to verify the session token before
> serving the final GET request for the file?
>
>
> Thanks,
> Sangita.
>
> OWASP AppSec FAQ
> http://www.owasp.org/documentation/appsecfaq
>
> Paladion Networks
> http://www.paladion.net
>
>
>
>
>
>
>
>
>
Received on Feb 28 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]