Welcome, Guest. Please login or register.
Did you miss your activation email?
May 23, 2012, 09:50:54 AM

Login with username, password and session length
Search:     Advanced search
Wollen Sie dem WebsiteBaker Team beitreten?
Nähere Informationen finden Sie unter hier und auf unserer neuen Webseite.
155400 Posts in 21698 Topics by 7729 Members
Latest Member: adnan
* Home Help Search Login Register
Pages: [1]   Go Down
Print
Author Topic: Download Gallery security issue: anyone can download  (Read 762 times)
lausianne
WebsiteBaker Org e.V.

Offline Offline

Posts: 155


WWW
« on: June 30, 2008, 09:02:34 AM »
Hi,

I just noticed that anyone can download files in my download gallery media directory. I have a few files that are only meant for registered users. Only these users can open the Download Gallery page on my website and download files there. Fine.

But: whoever knows or guesses a download link (e.g. http://www.asdf.org/modules/download_gallery/dlc.php?file=123), can download the file. Since the files have numbers, you don't even need to guess the filename. Simply try numbers from 1 upwards ...

Is there any way to restrict access to these files?

I'd appreciate your suggestions.

Cheers, Ralf.
Logged
doc
Guest
« Reply #1 on: June 30, 2008, 03:55:03 PM »
Hello,

the download gallery was never thought for secure file downloads. If your webhoster uses Apache as server and allows you to create own .htaccess files, the following workaround should help.

a) create a new folder for the secure files e.g. /media/secure/
b) protect the directory using Apache .htaccess (see WWW or Bookmark section on help website for details)
c) upload your secure files to this directory
d) select the files in this folder via DLG
e) try it

Regards Christian

P.S.: If you have some knowledge of PHP, you may want to use the PEAR HTTP_Downloads package to create your own download script for "secured" downloads.
Logged
lausianne
WebsiteBaker Org e.V.

Offline Offline

Posts: 155


WWW
« Reply #2 on: July 04, 2008, 05:51:34 PM »
Hi Christian,

thanks for your reply. I cannot use htaccess directly, but I can protect folders through the web server interface which should do the same. I will try what you suggested and let you know how it went.

Could I not simply protect the download gallery folder itself?

I don't have enough knowledge to use the PEAR package, unfortunately ...

Cheers,
Ralf.
Logged
doc
Guest
« Reply #3 on: July 06, 2008, 09:11:23 PM »
Hello,

easiest way to protect a folder and files contained in it is usign htaccess.
Other possibility is to write a secure download gallery which "hides" the true file name. There are scripts available in the WWW which make use of the PEAR_Download package.

Christian
Logged
lausianne
WebsiteBaker Org e.V.

Offline Offline

Posts: 155


WWW
« Reply #4 on: July 07, 2008, 08:45:02 AM »
Hi,

Thanks for the hint about PEAR. I found this on their site:
http://pear.php.net/package/HTTP_Download/

I think that would do it, if I knew how to use it. Not there yet.
Still waiting for my provider to let me protect my folders ...

Cheers,
Ralf.

080709: Ok, I protected the download gallery folder. Now, when you click on the download link, you have to enter username and password to actually download. Not ideal, but acceptable, and safe enough ...
« Last Edit: July 09, 2008, 11:26:27 AM by lausianne » Logged
doc
Guest
« Reply #5 on: July 07, 2008, 11:15:15 AM »
Hello,

German users, can have a look on the Pear OpenBook. Chapter 6 shows how to use the HTTP packages.

Christian
Logged
Pages: [1]   Go Up
Print
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!
Impressum & Datenschutz | powered by WebsiteBaker. ©2004–2010 by Website Baker Org e.V. , all rights reserved | Legal Notice & Privacy Policy