Our site is powered by Wordpress and I'm using a plugin which allows users to upload files. We have reasonable security in place to prevent malicious files from getting loaded to the server by users, but those files are then directly accessible to the public. For example, anyone can directly access any of those files like so:
http://www.website.com/path/to/files/file_1.pdf
http://www.website.com/path/to/files/file_2.pdf
http://www.website.com/path/to/files/file_3.docx
This is a security/privacy problem because those files could contain personal data that should not be available to anyone.
I know I can block access to the entire directory using .htaccess but then the plugin will stop working. Instead, I think I need to use .htaccess to redirect those requests to a script which checks if the current user is authorized to view them. The tricky part is that direct requests to those files bypass the Wordpress app, so none of the core functions (like is_user_logged_in()) are available if I redirect to some intermediary page.
It seems like I either need to write a script to check for the Wordpress authorization cookies manually (which sounds like a huge hassle) or somehow loop in Wordpress.
Any suggestions for an elegant way to add this security layer without breaking the plugin?
Related
I am stuck on this part of my laravel application, Where I am asked to protect the files from directly accessed via url browser hit.
I have a public folder in which in a doc folder is present where all the documents are going to be uploaded. I just need a solution to prevent this where i can access docs directly from my application but any third party visitor can not view my docs (images,pdfs etc..).
I have tried many solutions but its not at all working.
I just want to things :-
1. Protect my docs through direct access.
2. Way of implementing it in laravel (via .htaccess)
I know this can be possible through htaccess, but how?
Kindly help Please :)
Add in your upload folder .htaccess file with content:
Deny from all
There are three approaches I can think of just now;
You intercept all image and video requests with Laravel, then using the router, serve up the content that the user was after, provided they are authorised. THIS WILL BE SLOW!.
You rely on obscurity and put all that clients images, videos etc in a folder that has a long-unguessable random url. You can then link to the content in your code using the 'static' folder name. The customer's content will always be in that folder and accessible if they log in or not. The advantage of this compared to 1 is that your framework does not have to boot for every image or video.
Have all the content hidden away - possibly in the storage folder. When the user logs in, create a temporary symbolic link between their public folder and their folder in storage. Keep a note of the link in the session. Use the link in all gallery etc rather than the static code used in (2) above. Once they log out the code will no longer be valid, and you can delete the symbolic link on logout or have a job to tidy it up periodically.
I have a web folder that I would like to restrict access to via password protection. I would like to have multiple user accounts so .htpassword may not be the answer here. The folder contains web pages and .exe files for download and I would like to ensure someone cannot access an exe file just by knowing the URL.
Is there any way to use PHP to limit access to all contents in a folder or would it be best to just use a PHP page to launch file downloads and never expose the exe's URL?
Thanks
There is no way to protect a directory with php. You could always create seperate htaccess files in subdirectories and do a require a user but you'd probably be better off just using a php login, in addition a login form and logout looks much more professional.
you can't authenticate straight using php, but you can use a database, here is a example of htaccess check in databases, and that database can be updated by PHP, so you've got esentially the same thing
I'm trying to create an UnderConstruction page for my new site.
I would like to retain all the core files (files that are part of the site) without modification while I try to implement this. This includes leaving the index.php intact.
Currently, I have an .htaccess setup to authenticate on any access to the site.
I want to redirect any user accessing any page (at least the index.php) to an UnderConstruction page and then leave a link there which my dev team could use to authenticate themselves and continue using the site as usual.
But in order to leave the core files intact, I would have to initiate the htaccess type authentication & then in index.php (assuming that index.php is excluded from the cuth) check the auth status.
I tried to play around with $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] but these (as I understand) requires me to manually implement the authentication scheme (ie checking against a list of username & passwords).
I'm working on an apache with php5 on a linux server.
Any ideas?
You should just mirror the dev version of the site to a subdomain like dev.mysite.com and then keep the under construction stuff on the main domain. This way you can secure the dev domain and still keep your under construction page going and the two will be isolated.
put this on htacces for each file u wanna lock
Redirect /file.extension http://www.uroot.com/index.php
I know it's practically impossible to not allow a user to download an mp3 file with all the various methods out there. But I'm stuck in a situation where i need to make things slightly more private/secure for my customers.
Here's my problem, I'm currently using this flash mp3 player http://www.flabell.com/flash/Flash-Mp3-Player-29 to stream/play the songs. The player uses xml for settings & playlist. I'm also using WordPress & the S2Member plugin.
I'm trying to allow the player to play songs but yet do not allow users to download/opening the direct links to the files. (eg: songs are located at domain.com/player/songs/*.mp3, script is in a level up). Is there a htaccess method to deny direct access but yet allow (local) scripts to call the file?
Also, I mentioned about S2Member plugin for WordPress.
The WordPress plugin has a built in restriction to as where logged in users can download files that are hidden from open access. So in order to download a song, u'll have to use domain.com/s2script_download?file=mysong.mp3.
The folder that hosts the files has a .htaccess with a "Deny All" in it. Is it possible to reuse this folder to play/stream songs with the flash player mentioned above?
To the best of my knowledge this isn't possible. Yes, it's possible to deny access to the outside world, while allowing access to local scripts. But Flash isn't a local script. All things being equal, a Flash app requesting a file is no different than a browser requesting a file. You can't block one without blocking the other.
The only solution that even comes to my mind is having the Flash app request the file with a special query string, i.e. /somesong.mp3?fromflash. Off course that won't stop most people from getting the song, but it could stop some people.
There is this PHP script on my website which I don't want people to be able to run by just typing its name in the browser.
Ideally I would like this script to be run only by registered users and only from within a Windows app (which I will have to provide). Can this be done ?
Alternatively, how can I protect this script so that it can only be called from a specific page or script?
Also how can I hide the exact URI from appearing on the address bar?
Thanks !
If you are running Apache for your webserver, you can protect it with a username/password combo using .htaccess. It takes a little configuration if your server is not already configured to allow .htaccess. Here are the Apache docs.
If you need authentication based on application-specific factors, you can put something at the top of your script like
<?php
if(!$user->isLoggedIn()) {
// do 404
header('HTTP/1.0 404 Not Found');
}
Do you have a question about how you would implement isLoggedIn?
You can also use mod_rewrite to rewrite URIs, and those directives can go inside your .htaccess as well. mod_rewrite can rewrite incoming requests transparently (from the browser's perspective) so a request for /foo/bar can be translated into secret_script.php/foo/bar. Docs for mod_rewrite.
However you decide to implement this, I would urge you to not rely solely on the fact that your script's name is obscure as a means to secure your application. At the very least, use .htaccess with some per-user authentication, and consider having your application authenticate users as well.
As Jesse says, it's possible to restrict your script to logged in users. There are a large number of questions on this already. Search for PHP authentication.
However, it is not possible to restrict it to a single application. It is fairly simple to use a program like Wireshark to see exactly how the program logs in and makes request. At that point, they can reproduce its behavior manually or in their own application.
There are a variety of different ways that you could go about securing a script. All have pluses and minuses, and its likely that the correct answer for your situation will be a combination of several.
Like mentioned, you could lock down the account with Apache...it's a good start. Similarly, you could build a powerful 'salt-ed' security system such as this: http://www.devarticles.com/c/a/JavaScript/Building-a-CHAP-Login-System-An-ObjectOriented-Approach/ If you use SSL as well, you're essentially getting yourself security like banks use on their websites--not perfect, but certainly not easy to break into.
But there are other ideas to consider too. Park your script in a class file that sits inaccessible via direct URI, then do calls to the various functions from an intermediary view script. Not perfect, but it does limit the ways that someone could directly access the file. Consider adding a "qualifier" to the URL via a simple get--have the script check for the qualifier or fail....again, not a great solution on its own, but one additional layer to dissuade the bad guys. If you have control of who's getting access (know exactly which networks) you could even go so far as to limit the IP's or the http referers that are allowed to access the file. Consider setting and checking cookies, with a clear expiration. Don't forget to set your robots file so the browsers don't stumble upon the script your trying to protect.
A while back my company did a membership app using Delphi on the front end, talking to php and MySql on the backend....it was a bit clunky given that we were all web application developers. If you're so inclined, perhaps Adobe Flex might be an option. But ultimately, you'll have to open a door that the application could talk to, and if someone was determined, theoretically they could dig through your app to find the credentials and use them to gain instant access to the site. If you're going the desktop app route, perhaps its time to consider having the app avoid talking to an intermediary script and do its work on the local machine, communicating the db that sits remote.
you can use deny access on .htaccess on a folder with a php authentification that will redirect to those php file