51
percheron
Re: Mydownloads module modified
  • 2004/2/28 3:33

  • percheron

  • Just popping in

  • Posts: 10

  • Since: 2002/9/8 0


Samuels,
I am trying to figure out the security "angle". Despite requiring logins and using group security and mime type limits, the uploads area seems very exposed. I have installed an index.php in the modules/mydownloads/uploads directory that redirects to the home page. However, if you know the file name it is a simple matter to download from the uploads directory.

Example would be a file called "salaries.doc" in uploads. If an employee is dismissed from the company, but knows the file link: "../modules/mydownloads/uploads/salaries.doc" he can download it even if his login is revoked.

Do you have any suggestions for implementing better security while continuing to allow file uploads from authorized group members?

Thanks again,
jim

52
Dave_L
Re: Mydownloads module modified
  • 2004/2/28 4:00

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


A more secure method would be to locate the files in a directory not accessible to a web browser (outside the web document root or protected by an .htaccess file), and have the download script read the file and output it to the browser.

53
percheron
Re: Mydownloads module modified
  • 2004/2/28 4:11

  • percheron

  • Just popping in

  • Posts: 10

  • Since: 2002/9/8 0


Dave, thanks for the reply. Could you give me an example of where you would store the uploads directory and what permissions it should have to achieve the security, but still allow approved XOOPS group members to upload/download?

I feel like I am getting closer to having a working downloads environment, so thanks everyone for the help!

jim

54
Dave_L
Re: Mydownloads module modified
  • 2004/2/28 5:02

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


The method I described is not achieveable simply by setting permissions. It would also require modifying the download script. At least I assume it would; I haven't looked at the script.

Another approach I've seen, that's not quite so secure, is copying the file to be downloaded to a temporary file and then redirecting to that file. I don't recall the exact details, but osCommerce has an option to do this. But that would also require modifying the script.

55
percheron
Re: Mydownloads module modified
  • 2004/2/28 5:25

  • percheron

  • Just popping in

  • Posts: 10

  • Since: 2002/9/8 0


OK, I will try to poke through the scripts to see what maybe can be done with a hack.

Thanks again,
jim

56
samuels
Re: Mydownloads module modified
  • 2004/3/1 20:17

  • samuels

  • Quite a regular

  • Posts: 249

  • Since: 2003/10/30


NEW VERSION, Download it again.

-Solved permission problems in topten.php and blocks.
Now downloads without permission are totally hided.
-Solved some language bugs.

In next release I will update the module with changes made since XOOPS 2.06.

57
percheron
Re: Mydownloads module modified
  • 2004/3/1 23:28

  • percheron

  • Just popping in

  • Posts: 10

  • Since: 2002/9/8 0


Samuels, thanks for the update. I have downloaded and tested the latest version, but I'm afraid the security problem still exists. If you know the file name, you can simply download the file without logging in to anything.

I have tried .htaccess but so far I can only turn off access to the uploads directory, which turns it off for registered XOOPS users as well so no one can download.

I believe some of the other php file management modules that I've seen use php rather http to download the files so they are not accessible without logging in to whatever php login mechanism is in place.

Thanks again for all your work. I will continue to look for something to fix this security problem.

jim

58
tacoco
Re: Mydownloads module modified
  • 2004/3/2 0:59

  • tacoco

  • Just popping in

  • Posts: 6

  • Since: 2004/2/13


Mr.Samuels-san

Thank you again for the new release.
Question, should I reintall or is there way to just switch updated file?

Oh, I know this is stupid one,nothing related to your work but...What do I have to do so multiple user can use single EMAIL under different name. Like myself,I wanted to use multiple account using same email add, but everytime I get this 'this email been used" warning. Anyone? help me.

59
tacoco
Re: Mydownloads module modified
  • 2004/3/2 1:02

  • tacoco

  • Just popping in

  • Posts: 6

  • Since: 2004/2/13


Mr.Samuels-san

Thank you again for the new release.
Question, should I reintall or is there way to just switch updated file?

Oh, I know this is stupid one,nothing related to your work but...What do I have to do so multiple user can use single EMAIL under different name. Like myself,I wanted to use multiple account using same email add, but everytime I get this 'this email been used" warning. Anyone? help me.

60
samuels
Re: Mydownloads module modified
  • 2004/3/2 8:46

  • samuels

  • Quite a regular

  • Posts: 249

  • Since: 2003/10/30


@tacoco
Only update.
About e-mail try to put the e-mail address directly in bd. (I think is better create another thread for discussing it).

Login

Who's Online

131 user(s) are online (53 user(s) are browsing Support Forums)


Members: 0


Guests: 131


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Dec 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits