Restrict access to content via a signed URL in IIS? - iis

In the past, I've used NGINX and the ngx_http_secure_link_module to achieve this, which has worked great. If you try to access a media file directly, you get a 403 access denied error. But with a valid signed URL...
emample.com/media/audio.mp3?expires=[1 hour]&signature=[SHA2(filename+expiration+secret)]
...access is granted.
But I'm using IIS now, and I'm wanting to achieve the same thing. I've tried using ASP code with the URL rewrite module, where I'd create an empty media folder with an ASP page to process requests, store all media in an offline folder, and use the rewrite module to spoof URLs.
For example...
emample.com/media/audio.mp3?expires=[1 hour]&signature=[SHA2(filename+expiration+secret)]
...would rewrite to a page called "stream.asp". I'd check the signature, return an error if it was incorrect, but otherwise I'd change the content type property to match that of the file, then do a binary stream from the offline folder where the real file is stored.
This worked fine for documents, but for audio and video, it was sluggish, and you couldn't skip the content back and forth. I'm sure I could have adjusted the code to have made this possible, but accessing files this way put a lot of strain on IIS.
What I'm looking for is a simple URL check in IIS that either grants access to a file or denies it based on a URL signature check.
Does anybody know of an IIS module that can do this? Or perhaps it's even possible to use the URL Rewrite module to achieve this?

Related

Joomla malicious file upload and cross site scripting

My site is under security audit to get the security certification. After audit they gave me two security issues to look at.
Stored Cross Site Scripting: The application must implement server side validation for all user-entered inputs. Only expected values should be accepted. Script tags should be rejected. All user inputs should be sanitized.
Malicious File Upload
I have added the at filter tags in Joomla global configuration text filters. And also though I have clearly stated for all file upload elements to only use .jpg,.jpeg,.png extensions, I can still upload .php extension files.
How can we rectify these two issues?
Regards
Use the defines.php file to clean the POST data before it reaches the Joomla site, and block any request with $_FILES in it.
If your website needs to allow users to upload files, then make sure that these files only consist of specific file types, and, if you don't need the external world to have access to these files, then block access to these files (in the folder you have them uploaded to) using an htaccess rule.

How to prevent users from browsing certain files of my website

I have recently launched a website on GoDaddy hosting. I have keept some images and JavaScript files used in website, in separate folders. I want to prevent the users from browsing those images and files by simply appending the folder and file name in the website URL. For example
www.example.com/images/logo.png
If I understand correctly, you want to have html file with images, that shouldn't be accessible alone? If yes, then it cannot be done. You can watch for correct HTTP Referrer header, but it can be simply faked and it also makes it inaccessible for browsers that don't send referrer or having sending it forbidden for "privacy" reasons.
If you want hide files to be accessible only by server side scripts, ftp/scp, then you can try to use .htaccess (if GoDaddy runs on Apache) and correct configuration: https://httpd.apache.org/docs/2.2/howto/access.html
Another way could be hiding that files and creating one-shot token like this:
<img src=<?pseudocode GEN_TOKEN("file.jpg") ?> /> with another file serving these hidden files just for generated token, then deleting it from DB. Nevertheless, this will not protect anybody from downloading or accessing these files, if they want...
But, anyway, try to clarify your question better...
If you are keeping images/files in folder which is open to public, I guess you kept in that folder for purpose, you want public to access those images and files.
How public know images file name? Stop file content listing for your web site.
I am not aware which language you are using on web server, but in ASP.NET you may write module/ middle ware which can intercept in coming request and based on your logic (e.g. authentication and authorization) you can restrict access. All modern languages support this kind of functionality.

codeigniter controlled access to a url/folder

I am stuck at the situation where I want the url, which contains a folder having some files (html, swf etc.), to be accessible after I validate the user.
For example.
The url to access is:
A - http://mysite.com/files/version/1/file.swf
And this above url is accessible from the link,
B - http://mysite.com/view/1
I have implemented a way to hide the URL A from a normal user but if the user somehow is a semi-techie person then he can know the swf file location from firebug or other tools. So, to make the access-to-file secure what should I do?
If a user somehow knows the first url(A) and then enters it in browser, i have to check if the user is logged-in and if validation is done it lets the url A to be loaded.
Since, in CI, the controller names cannot be named same as the folders in the root directory, in this case i cannot have a controller called “files”. So, the only option left to make this secure access to url work is to use htaccess rule/cond. If this is the only option, then how can it be achieved by htaccess and if not, then what other options do i have.
Will the codeigniter's URI Routes work because when i tried like this:
$route[‘files/version/1/(:any)’] = “view/$1”;
and it doesnt work, maybe because there is no controller/function/param as files/versions/1 ...
looking for quick help. Thanks
There isn't a sure-fire way to do it without, for example, using .htpasswd.
One thing you could implement is sort of "Security by Obscurity". In that case you could redirect all requests to a file to the URL http://mysite.com/view/file-id and then instead of loading the requested file directly, you would load a .php template with the appropriate headers - be it an image, a flash file or anything else.
But it really depends on how the files are going to be managed, since every file will need an entry in the database and you would have to output different headers for different types of files. And if someone still manages to guess the path to the file, it will be directly accessible.

How to move pages around and rename them while not breaking incoming links from external sites that still use the poorly formed URLs

update
Here is the situation:
I'm working on a website that has no physical folder structure. Nothing had been planned or controlled and there were about 4 consecutive webmasters.
Here is an example of an especially ugly directory
\new\new\pasite-new.asp
most pages are stored in a folder with the same name as the file, for maximum redundancy.
\New\10cap\pasite-10cap.asp
\QL\Address\PAsite-Address.asp
each of these [page directories]? (I don't know what else to call them) has an include folder, the include folder contains the same *.inc files in every case, just copied about 162 times for each page directory. The include folder was duplicated so that the
<!--#include file="urlstring"--> would work correctly due to lack of understanding of relative paths, and the #inclue virtual directive or using server.execute()
Here is a picture if my explanation was lacking.
Here are some of my limitations:
The site is written in ASP classic
Server is Windows Server 2003 R2 SP2 , IIS 6 (According to my resource)
I have no access to the IIS server
I would have to go through a process to add any modules or features to iis
What changes can I make that would allow me to move pages around and rename them while not breaking incoming links from external sites that still use the poorly formed URLs?
To make my question more specific.
How can I move the file 10cap.asp from \new\10cap\ to a better location like \ and rename the file to someting like saveourhomescap.asp and not break any incoming links and finally, not have to leave a dummy 10cap.asp page in the original location with a redirect to the new page.
Wow, that's a lot of limitations to deal with.
Can you setup a custom error page? If so you can add some code into a custom error page that would redirect users to the new page. So maybe you create a custom 404 page, and in that page you grab the query string variable and based on that send the user to the correct "new" page. That would allow you to delete all of the old pages.
Here is a pretty good article on this method: URL Rewriting for Classic ASP
Well, you have a lot of limitations and especially no access to the IIS server hurts. An ISAPI module for URL rewriting is not an option here (IIS) and equally a custom 404 page where you could read the referer and forward with a HTTP 301 won't work (IIS).
I would actually recommend you to go through the process and let them install:
An ISAPI URL rewriting module
or if that doesn't work (for any reason):
Let them point the HTTP 404 of your web to a custom 404.asp, read the referer and redirect with a HTTP 301 (Moved Permanently) to your new location.
If none of this is an option for you, I can think about another possibility. I haven't actually tried that so I'm not 100% sure if it will work, but in theory it sounds good ;)
You could make in your global.asa in the Session_OnStart event a Response.Redirect or change the header of your response to a HTTP 301. This will actually only work for new users and not fix real 404 errors. Sorry, for the pseudo code, but it's a while ago that I had anything to do with classic ASP and I think you'll get what I mean ;)
sub Session_OnStart
' here should be a Select Case switch or something like that
Response.Redirect("newlocation.asp")
' or if that will work, this would be better (again with switch)
Response.Status = "301 Moved Permanently"
Response.AddHeader "Location", "http://company.com/newlocation.asp"
end sub
Hope that helps.
I recommend using URL Rewrite for that, see the following blog about it, in particular "Site Reorganization":
http://blogs.msdn.com/b/carlosag/archive/2008/09/02/iis7urlrewriteseo.aspx
For more info about URL Rewrite see: http://www.iis.net/download/URLRewrite
You can try ISAPIRewrite since it's classic ASP + IIS6
http://www.isapirewrite.com/
They have a lite version which is free, probably good enough for your use.
urlrewrite will only work if you can install a dll on the server
one of these articles will help
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=qRR&q=url+rewrite+classic+asp&btnG=Search&aq=f&oq=&aqi=g-m1
basically you have to point 404 errors to an error page which will parse the incoming querystring / post info and redirect user to correct location with incoming parameters added.
variations on that theme will be found in the examples fro google.

Can I have 'friendly' url's without a URL rewriter in IIS?

Without having a url rewriter such as ISAPI_Rewrite available, is it possible to achieve the following:
I would like a user to browse to http://www.jjj.com/directory where /directory does not actually exist. IIS transfers the user to not-found.cfm.
At this point I can serve index.cfm i.e. http://www.jjj.com/directory/index.cfm.
The url will display just fine and the page loads even though the directory or index.cfm doesn't exist. However I'd like to be able to not have index.cfm in the url.
Ideal:
Page Request to http://www.jjj.com/directory
IIS loads not-found.cfm as the default 404 errorhandler.
Not found strips the CGI.query_string and uses cfswitches to funnel the user to the appropriate controller function. May use onMissingTemplate?
The page request never changes in the URL and the page loads transparently the user with 200 OK status
If a user requests http://www.jjj.com/directory/index.cfm I would 301 redirect to http://www.jjj.com/directory
Current:
Page Request to http://www.jjj.com/directory
IIS loads not-found.cfm as default 404 error handler.
Not found strips the CGI.query_string and uses cfswitches to funnel the user to the appropriate controller function.
The page request changes to http://www.jjj.com/directory/index.cfm with a 200 OK status
You're asking how to cut something but telling us you're not allowed to use a knife or anything resembling one.
Here's my only clever idea using onMissingTemplate().
GET /directory/
-> 404.cfm
-> <cfinclude template="#cgi.script_name#/special.cfm" />
-> fires onMissingTemplate() where you ignore the "special.cfm" bit and just use the rest of the requested path to figure out what controller to wire up to.
This is a kludgy hack, though, so I would try to avoid it myself. Maybe if you explain why ISAPI Rewriting isn't an option, then we might be able to help further.
You can tell IIS to have 404 and 403 errors execute a custom URL on your site (such as /urlhandler.cfm).
Then, you can parse the 'cgi.query_string' and route the application anyway you desire using cfinclude to simply include the correct 'template.cfm', or, you can reformat the input your framework is expecting, or, use a project like http://coldcourse.riaforge.org/.
Just one note, IIS will give you a URL that looks like this: '404;http://yoursite.com/the/url/you/wanted/to/route'.
Is IIS7 on the approved list of software? That can get you native url rewriting and side-step the whole issue.
Second option -- my CFM voodoo is rusty, but I think you can setup IIS6 to look for a CFM page (like you are doing) but then step in at the application level and do the url rewriting/repointing before it actually hits the 404 page.
Another way around it -- find an ISAPI url rewriter that is, say, under the MIT license. Build your own copy. Then have them install that as part of your software package.

Resources