Re: Mydownloads module modified [Module usage questions]

51

Re: Mydownloads module modified

2004/2/28 3:33
percheron
Just popping in
Posts: 10
Since: 2002/9/8 0

Samuels,
I am trying to figure out the security "angle". Despite requiring logins and using group security and mime type limits, the uploads area seems very exposed. I have installed an index.php in the modules/mydownloads/uploads directory that redirects to the home page. However, if you know the file name it is a simple matter to download from the uploads directory.

Example would be a file called "salaries.doc" in uploads. If an employee is dismissed from the company, but knows the file link: "../modules/mydownloads/uploads/salaries.doc" he can download it even if his login is revoked.

Do you have any suggestions for implementing better security while continuing to allow file uploads from authorized group members?

Thanks again,
jim

52

Re: Mydownloads module modified

2004/2/28 4:00
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

A more secure method would be to locate the files in a directory not accessible to a web browser (outside the web document root or protected by an .htaccess file), and have the download script read the file and output it to the browser.

53

Re: Mydownloads module modified

2004/2/28 4:11
percheron
Just popping in
Posts: 10
Since: 2002/9/8 0

Dave, thanks for the reply. Could you give me an example of where you would store the uploads directory and what permissions it should have to achieve the security, but still allow approved XOOPS group members to upload/download?

I feel like I am getting closer to having a working downloads environment, so thanks everyone for the help!

jim

54

Re: Mydownloads module modified

2004/2/28 5:02
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

The method I described is not achieveable simply by setting permissions. It would also require modifying the download script. At least I assume it would; I haven't looked at the script.

Another approach I've seen, that's not quite so secure, is copying the file to be downloaded to a temporary file and then redirecting to that file. I don't recall the exact details, but osCommerce has an option to do this. But that would also require modifying the script.

55

Re: Mydownloads module modified

2004/2/28 5:25
percheron
Just popping in
Posts: 10
Since: 2002/9/8 0

OK, I will try to poke through the scripts to see what maybe can be done with a hack.

Thanks again,
jim

56

Re: Mydownloads module modified

2004/3/1 20:17
samuels
Quite a regular
Posts: 249
Since: 2003/10/30

NEW VERSION, Download it again.

-Solved permission problems in topten.php and blocks.
Now downloads without permission are totally hided.
-Solved some language bugs.

In next release I will update the module with changes made since XOOPS 2.06.

57

Re: Mydownloads module modified

2004/3/1 23:28
percheron
Just popping in
Posts: 10
Since: 2002/9/8 0

Samuels, thanks for the update. I have downloaded and tested the latest version, but I'm afraid the security problem still exists. If you know the file name, you can simply download the file without logging in to anything.

I have tried .htaccess but so far I can only turn off access to the uploads directory, which turns it off for registered XOOPS users as well so no one can download.

I believe some of the other php file management modules that I've seen use php rather http to download the files so they are not accessible without logging in to whatever php login mechanism is in place.

Thanks again for all your work. I will continue to look for something to fix this security problem.

jim

58

Re: Mydownloads module modified

2004/3/2 0:59
tacoco
Just popping in
Posts: 6
Since: 2004/2/13

Mr.Samuels-san

Thank you again for the new release.
Question, should I reintall or is there way to just switch updated file?

Oh, I know this is stupid one,nothing related to your work but...What do I have to do so multiple user can use single EMAIL under different name. Like myself,I wanted to use multiple account using same email add, but everytime I get this 'this email been used" warning. Anyone? help me.

59

Re: Mydownloads module modified

2004/3/2 1:02
tacoco
Just popping in
Posts: 6
Since: 2004/2/13

Mr.Samuels-san

Thank you again for the new release.
Question, should I reintall or is there way to just switch updated file?

Oh, I know this is stupid one,nothing related to your work but...What do I have to do so multiple user can use single EMAIL under different name. Like myself,I wanted to use multiple account using same email add, but everytime I get this 'this email been used" warning. Anyone? help me.

60

Re: Mydownloads module modified

2004/3/2 8:46
samuels
Quite a regular
Posts: 249
Since: 2003/10/30

@tacoco
Only update.
About e-mail try to put the e-mail address directly in bd. (I think is better create another thread for discussing it).

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Re: Mydownloads module modified

Re: Mydownloads module modified

Re: Mydownloads module modified

Re: Mydownloads module modified

Re: Mydownloads module modified

Re: Mydownloads module modified

Re: Mydownloads module modified

Re: Mydownloads module modified

Re: Mydownloads module modified

Re: Mydownloads module modified

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}