We've got an intranet which normally serves all info/documents that appl to the whiole company (employee handbooks, minutes, etc...)
Most of these work by having the web server parse a folder and present the files to the user.
The problem in this case is that the latest folder is restricted to cerain users. As Kerberos is not currently an option, I was planning to side-step the issue and just insert a link which opens up a UNC path:
file://\Server\SecureFolder\
I've just found out that since XPSP2 this hasn't been possible with standard HTML/JS.
Does anyone know of a nother way this can be done? It's internal so I've got a lot of control over the webserver (but domain config changes will have to be justified)
I'm wondering if there's something like .Net or an ActiveX [shudder] solution or similar?
Thanks in advance for any help.
Seems the solution was to do it without Javascript and without the file://
The following works:
Link
Related
Currently I'm building a local serach engine for network drives that is going to be used in our company.
The search engine is build on top of Solr and Tika. I've build an indexer that indexes Samba-shares over the network which works great and indexes all the directories that are given in a configuration file. However that is not really relevant.
The current problem we have is that the web interface that connects to Solr and delivers the search results will try to serve local file:// files that are links to the files with a absolute or Samba path. But serving file://'s are of course disallowed by browsers like Google Chrome. The error that Chrome gives is:
Not allowed to load local resource: file:///name/to/file.pdf
Which is obvious and logical, however I want to work around that issue and serve 'local' files to our users. Or at least open an Explorer window with the given path.
I was wondering if this is even possible or if there is a workaround available? The server that is going to serve these files is running on Apache or Tomcat (doesn't matter).
Alhtough opening file://'s seems pretty much impossible without the use of browser-specific plugins, I created a workaround by specifying a custom URI-handler combined with a Windows specific application that will open explorer.exe with the given directory.
This is by far not the ideal answer to my question, but I think it is a decent workaround for an intranet search application.
Streaming the file from your application to the browser is a much better idea from a usability and security perspective.
By assigning a MIME type to the stream, the user's browser can decide how best to open and display the file to the user.
By streaming from you application, control of the data can be maintained. The location of the file on you server is not revealed and proper authentication, authorization and auditing are easily achieved.
Assuming Java based upon your use of Solr and Tika:
http://www.java-forums.org/blogs/servlet/668-how-write-servlet-sends-file-user-download.html
my website opens with xx.xxx.xxx.xxx IP address till friday it was working fine..after wards not able view the site in webbrowser...what could be the problem ? how can we solve it?
My server with this IP is working and can able to view the updated data in database ..but not able to view, or open the page of website.before the website under IIS configuration was stooped and now started again..still no use..am couldnt view Login page at all.My application was developed in classic asp long back.Kindly give me any suggestion to this...its very urgent...
I tried browsing the website in IIS manger(server) .It showing page cannot be displayed.
Thanks in advance.
First, Don't Panic. Staying calm can avoid further damage.
While it's hard to tell what could be the problem, the first thing you can do is to "ping" the domain from terminal.Can you login remotely? "wget" (on linux) will download the files from website, and could help you see if the files on the site are still accessible. Check from different browsers or machines, if possible. I'm no expert in asp or IIS, so won't advice on that front. But once I had faced the same situation with my website. So I just called up the hosting service provider, and it turned out it was their problem, and they brought the server online. If it's okay from their end, you might have changed some configurations in your server or application or there might be some up-gradation changing parameters, or even an accidental deletion/ moving/ renaming of files. Just try to remember what are the things you did with your server and application, before it went down, and also ask your server administrator. That will surely help you understand the problem better, if not help to solve it right away.
Good Luck.
Can I format the page showing files of a directory of a website?
I'm pretty sure you can buddy :)
Seriously, please better specify your question. Do you mean something like getting a directory index from other websites or doing it in your own ?
For other websites, it depends on the their web server configuration. For your web server, if you are using apache, you could set the option Indexes to do that.
mod_autoindex should do the trick.
http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html
I am thinking about having the following use-case:
User installs application on local machine.
User goes to our website, and are presented with many links (choices).
User clicks on a link.
Application starts, with some information contained within the link passed to the application.
Step 4 is obviously a security minefield. The end goal is that the user makes a choice, and if the application is installed, it starts with some information passed to it (ie command line parameters, or perhaps a temp file somewhere on the user's machine)
Can I/ Should I access the registry from javascript? Are there any ideas about how I might go about this? Do you have an alternative suggestion?
Assuming the applications the user installs are also developed by you.
Register a file extension for use by the specific application - then your web links can be links to a file that is downloaded and auto-run by your app. The file could contain details on the defaults for your app to use.
Sort of like how clicking on a .pdf file opens your pdf reader.
As an alternative to the file-extension solution you may want to know about Custom Application Protocol feature. Link is for Windows but there are nearly same techniques on other systems. I can't say if this approach works in every browser but you may want to try it out.
Accessing the registry from JavaScript inside a browser is nigh on impossible for the security implications. To access the registry from the web, I'd imagine you'd have to use a binary (C++ or others) program that can read the registry, but also has an HTTP module to communicate with your server.
Sounds like you might need the Click Once deployement feature for your app. I think once it's installed over http there should be a pretty easy way to launch an executable.
http://en.wikipedia.org/wiki/ClickOnce
A couple sites of mine recently got "hacked". Someone was able to add a line of JavaScript to the bottom of every page on the site.
The server is a Windows Server 2003, and has Cold Fusion 8 and MySQL 5.x installed and running.
Looking into the code on each page shows that none of the pages were modified. The JavaScript is not in the code files themselves. This leads me to believe it is an IIS problem, but I am unsure and cannot find anything that would be able to do this within IIS.
The JavaScript being added redirects a user to another page only when they come from Google, or at least it appears to work this way.
Any help on how someone was able to accomplish this as well as removing it would be greatly appreciated.
Another way to word the question thanks to #Jeffrey Hantin
How do you systematically modify output from IIS without modifying individual pages?
EDIT: A bit more testing has shown that only the .cfm pages add the extra javascript. Added a new .cfm and the js was there but a .html did not have it.
Edit2: Turns out to have been a coldfusion problem after all. Somehow the pages OnRequestEnd.cfm were created on the sites and added that js.
Looks like someone exploited some latest Adobe CF vulnerabilities.
Please see these blog posts for details and try to search symptoms on your server:
Image upload
FCKEditor bug + this post
Hope this helps.
Turns out to have been a coldfusion problem after all. The page OnRequestEnd.cfm were created on the sites and added that js.
If you only want to use IIS to modify output, the ISAPI filter is probably the best answer. If you would like to use Coldfusion, you could utilize the application.cfc to modify output during certain parts of the request cycle or wrap all of your pages in a Custom Tag to consolidate the like portions of your page templates.
I have used both. In cases where my page headers and footers are all the same, the custom tag is fast and easy to use. To make changes to all the pages, you edit one custom tag file. In cases where I have a more complicated web application I'll use the application.cfc to store and insert common components where they are needed.
They might have guessed your password. You should change it immediately.
It's possible that an ISAPI filter is used to do this. I once used one myself to perform compression before IIS supported it natively.
In your specific situation, you may want to check for ISAPI filters you don't want installed. Of course, if your server has been compromised, you will likely be better off rebuilding from a known good image rather than trying to fix it in situ.