limiting access to images/banning direct access

18/01/2008, 18h39

Hello everyone!

I have a PHP-based application (MediaWiki) installed on a Linux box
(CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password
protected; however, even without logging in one can view our images
and documents by simply typing in the full URL to it.

So here is my question: is there a way to ban Apache from displaying
files that the user has not been redirected to following a legitimate
login?

Thanks in advance.

Boris.

18/01/2008, 19h06

On Fri, 18 Jan 2008 10:39:39 -0800 (PST), Boris Epstein
<borepstein@gmail.com> wrote:

>Hello everyone!
>
>I have a PHP-based application (MediaWiki) installed on a Linux box
>(CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password
>protected; however, even without logging in one can view our images
>and documents by simply typing in the full URL to it.

Which means it is not password protected.

>So here is my question: is there a way to ban Apache from displaying
>files that the user has not been redirected to following a legitimate
>login?

Two possibilities:
1- use wiki software with better protection

2- redirect to a PHP script which only sends the requested
document or image if the session belongs to a logged in
user, and redirect to the login page if it doesn't, or if
there is no session at all.
Details can be found in the PHP docs and with a search on
Google.

>Thanks in advance.
>
>Boris.

HTH
--
( Kees
)
c[_] The greatest of faults is to be conscious of none.
(Thomas Carlyle) (#304)

18/01/2008, 19h47

On Jan 18, 2:06 pm, Kees Nuyt <k.n...@nospam.demon.nl> wrote:
> On Fri, 18 Jan 2008 10:39:39 -0800 (PST), Boris Epstein
>
> <borepst...@gmail.com> wrote:
> >Hello everyone!
>
> >I have a PHP-based application (MediaWiki) installed on a Linux box
> >(CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password
> >protected; however, even without logging in one can view our images
> >and documents by simply typing in the full URL to it.
>
> Which means it is not password protected.

Well, it is partially protected - the Wiki pages you can not see
without logging in first. However, if you just type in something like:
http://the_site/images/h/h8/sample_file.pdf

you can read the PDF.

>
> >So here is my question: is there a way to ban Apache from displaying
> >files that the user has not been redirected to following a legitimate
> >login?
>
> Two possibilities:
> 1- use wiki software with better protection
>
> 2- redirect to a PHP script which only sends the requested
> document or image if the session belongs to a logged in
> user, and redirect to the login page if it doesn't, or if
> there is no session at all.
> Details can be found in the PHP docs and with a search on
> Google.

Neither will work - if you type in the full URL to the image/PDF file
you bypass both the Wiki and the PHP engine.

>
> >Thanks in advance.
>
> >Boris.
>
> HTH
> --
> ( Kees
> )
> c[_] The greatest of faults is to be conscious of none.
> (Thomas Carlyle) (#304)

18/01/2008, 20h21

On Fri, 18 Jan 2008 11:47:15 -0800 (PST), Boris Epstein
<borepstein@gmail.com> wrote:

>On Jan 18, 2:06 pm, Kees Nuyt <k.n...@nospam.demon.nl> wrote:
>> On Fri, 18 Jan 2008 10:39:39 -0800 (PST), Boris Epstein
>>
>> <borepst...@gmail.com> wrote:
>> >Hello everyone!
>>
>> >I have a PHP-based application (MediaWiki) installed on a Linux box
>> >(CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password
>> >protected; however, even without logging in one can view our images
>> >and documents by simply typing in the full URL to it.
>>
>> Which means it is not password protected.
>
>Well, it is partially protected - the Wiki pages you can not see
>without logging in first. However, if you just type in something like:
>http://the_site/images/h/h8/sample_file.pdf

That's what I mean: it's not protected.

>you can read the PDF.
>
>>
>> >So here is my question: is there a way to ban Apache from displaying
>> >files that the user has not been redirected to following a legitimate
>> >login?
>>
>> Two possibilities:
>> 1- use wiki software with better protection
>>
>> 2- redirect to a PHP script which only sends the requested
>> document or image if the session belongs to a logged in
>> user, and redirect to the login page if it doesn't, or if
>> there is no session at all.
>> Details can be found in the PHP docs and with a search on
>> Google.
>
>Neither will work - if you type in the full URL to the image/PDF file
>you bypass both the Wiki and the PHP engine.

Not if you rewrite all URLs that point to the protected
files to that particular PHP script. I'm sorry I
mistakenly wrote redirect where I meant rewrite.

Additional measures:
In some situations you can afford to move the protected
files outside the DocumentRoot, but in a content
management system like a wiki that might be hard to do,
because the functions to upload contents would fail.
So I didn't mention that one.

>> >Thanks in advance.
>>
>> >Boris.

Good luck!
--
( Kees
)
c[_] Prune: A plum that has seen better days. (#416)

19/01/2008, 18h18

"Boris Epstein" <borepstein@gmail.com> wrote in message
news:1ce81d8d-9e2e-41e3-8a0a-923536f58a67@k39g2000hsf.googlegroups.com...
> So here is my question: is there a way to ban Apache from displaying
> files that the user has not been redirected to following a legitimate
> login?

Although it can be forged, you could check the HTTP_REFERER field to see if
the hostname it contains is your (virtual) host. If it's not, you should
probably serve a different resource in its place. This step should probably
be used in combination with other methods suggested.

18/01/2008, 18h39	#1
Boris Epstein Messages: n/a Hébergeur:	limiting access to images/banning direct access Hello everyone! I have a PHP-based application (MediaWiki) installed on a Linux box (CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password protected; however, even without logging in one can view our images and documents by simply typing in the full URL to it. So here is my question: is there a way to ban Apache from displaying files that the user has not been redirected to following a legitimate login? Thanks in advance. Boris.

18/01/2008, 19h06	#2
Kees Nuyt Messages: n/a Hébergeur:	Re: limiting access to images/banning direct access On Fri, 18 Jan 2008 10:39:39 -0800 (PST), Boris Epstein <borepstein@gmail.com> wrote: >Hello everyone! > >I have a PHP-based application (MediaWiki) installed on a Linux box >(CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password >protected; however, even without logging in one can view our images >and documents by simply typing in the full URL to it. Which means it is not password protected. >So here is my question: is there a way to ban Apache from displaying >files that the user has not been redirected to following a legitimate >login? Two possibilities: 1- use wiki software with better protection 2- redirect to a PHP script which only sends the requested document or image if the session belongs to a logged in user, and redirect to the login page if it doesn't, or if there is no session at all. Details can be found in the PHP docs and with a search on Google. >Thanks in advance. > >Boris. HTH -- ( Kees ) c[_] The greatest of faults is to be conscious of none. (Thomas Carlyle) (#304)

19/01/2008, 18h18	#5
D. Stussy Messages: n/a Hébergeur:	Re: limiting access to images/banning direct access "Boris Epstein" <borepstein@gmail.com> wrote in message news:1ce81d8d-9e2e-41e3-8a0a-923536f58a67@k39g2000hsf.googlegroups.com... > So here is my question: is there a way to ban Apache from displaying > files that the user has not been redirected to following a legitimate > login? Although it can be forged, you could check the HTTP_REFERER field to see if the hostname it contains is your (virtual) host. If it's not, you should probably serve a different resource in its place. This step should probably be used in combination with other methods suggested.

18/01/2008, 19h47	#3
Boris Epstein Messages: n/a Hébergeur:	Re: limiting access to images/banning direct access On Jan 18, 2:06 pm, Kees Nuyt <k.n...@nospam.demon.nl> wrote: > On Fri, 18 Jan 2008 10:39:39 -0800 (PST), Boris Epstein > > <borepst...@gmail.com> wrote: > >Hello everyone! > > >I have a PHP-based application (MediaWiki) installed on a Linux box > >(CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password > >protected; however, even without logging in one can view our images > >and documents by simply typing in the full URL to it. > > Which means it is not password protected. Well, it is partially protected - the Wiki pages you can not see without logging in first. However, if you just type in something like: http://the_site/images/h/h8/sample_file.pdf you can read the PDF. > > >So here is my question: is there a way to ban Apache from displaying > >files that the user has not been redirected to following a legitimate > >login? > > Two possibilities: > 1- use wiki software with better protection > > 2- redirect to a PHP script which only sends the requested > document or image if the session belongs to a logged in > user, and redirect to the login page if it doesn't, or if > there is no session at all. > Details can be found in the PHP docs and with a search on > Google. Neither will work - if you type in the full URL to the image/PDF file you bypass both the Wiki and the PHP engine. > > >Thanks in advance. > > >Boris. > > HTH > -- > ( Kees > ) > c[_] The greatest of faults is to be conscious of none. > (Thomas Carlyle) (#304)

18/01/2008, 20h21	#4
Kees Nuyt Messages: n/a Hébergeur:	Re: limiting access to images/banning direct access On Fri, 18 Jan 2008 11:47:15 -0800 (PST), Boris Epstein <borepstein@gmail.com> wrote: >On Jan 18, 2:06 pm, Kees Nuyt <k.n...@nospam.demon.nl> wrote: >> On Fri, 18 Jan 2008 10:39:39 -0800 (PST), Boris Epstein >> >> <borepst...@gmail.com> wrote: >> >Hello everyone! >> >> >I have a PHP-based application (MediaWiki) installed on a Linux box >> >(CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password >> >protected; however, even without logging in one can view our images >> >and documents by simply typing in the full URL to it. >> >> Which means it is not password protected. > >Well, it is partially protected - the Wiki pages you can not see >without logging in first. However, if you just type in something like: >http://the_site/images/h/h8/sample_file.pdf That's what I mean: it's not protected. >you can read the PDF. > >> >> >So here is my question: is there a way to ban Apache from displaying >> >files that the user has not been redirected to following a legitimate >> >login? >> >> Two possibilities: >> 1- use wiki software with better protection >> >> 2- redirect to a PHP script which only sends the requested >> document or image if the session belongs to a logged in >> user, and redirect to the login page if it doesn't, or if >> there is no session at all. >> Details can be found in the PHP docs and with a search on >> Google. > >Neither will work - if you type in the full URL to the image/PDF file >you bypass both the Wiki and the PHP engine. Not if you rewrite all URLs that point to the protected files to that particular PHP script. I'm sorry I mistakenly wrote redirect where I meant rewrite. Additional measures: In some situations you can afford to move the protected files outside the DocumentRoot, but in a content management system like a wiki that might be hard to do, because the functions to upload contents would fail. So I didn't mention that one. >> >Thanks in advance. >> >> >Boris. Good luck! -- ( Kees ) c[_] Prune: A plum that has seen better days. (#416)

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email