Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: Controlling access to pdf/doc files
From: chasd () silveroaks com
Date: Wed, 25 Feb 2004 08:53:28 -0600
If I may, let me describe how a PDF-based application that we built works. 


Question - How can I ensure my application allows only authenticated
users access to files like *.pdf or *.doc?


and


Generate the PDF/DOC/whatever on the fly at the time of the request.
In our application, the FDF data is submitted over https to a ASP script that calls up PDF template files that the FDF data is inserted into, twice. One copy is encrypted and sent via e-mail to the home office, the other is fed back down to the client as a stream as others have suggested (over https). The PDF files with the data inserted only exists in memory on the server, and is never written to disk.
The end user's template file has a red warning message that says to save the file from the browser. This message does not print, it is only visible in a viewer. There is a button with a JavaScript action labeled "Save document" that brings up the save dialog. Another button with a JavaScript action goes to the home page URL.
The template for the home office does not have the end user features. We use the PDF encryption for this version. I know that this encryption is not as strong as other methods, but the client was comfortable with the usability trade-off. We use both password fields and use the maximum number of characters.
We like PDF better than MS Word format because the format is openly documented and many tools exists to generate and manipulate documents in that format. Readers for the format are freely available on multiple platforms.
Two issues we have run into are that Windows IE doesn't use the file name provided in the data stream, so we have to instruct users to name the the file correctly when it is saved. Other browsers/platforms do not have this problem and behave correctly. The other issue is that Adobe has not released a Acrobat browser plug-in for OS X. However, Reader version 6.x for OS X can submit form data. Previously only the full version of Acrobat could submit FDF data outside of a browser. 


Charles Dostale
System Admin - Silver Oaks Communications
http://www.silveroaks.com/
824 17th Street, Moline  IL  61265
chasd () silveroaks com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]