2. ASPRunnerPro General questions
  3. Open file stored in server
This topic is locked

Open file stored in server

 		9/30/2014 10:35:51 AM
ASPRunnerPro General questions
M
 marcove author

Hi
Using ASP Runner, I have a folder (absolute path) where I store images (PDF) related to a single record in DB.
I find a security hole, when in list page, i open this files, because if I copy the hyperlink that application (ASP Runner) use to retrieve this image from the store (ex. http://test/download.asp?table=CassettoDigitaleDoc&field=Doc&key1=64)from the list.asp page, and I change manually the value of the Key1=, I could open files related to other records not of mine.
What can I do to protect my data? May I use another solution/Method in ASP Runner?
Thank you

M
mperry622 9/30/2014



Hi
Using ASP Runner, I have a folder (absolute path) where I store images (PDF) related to a single record in DB.
I find a security hole, when in list page, i open this files, because if I copy the hyperlink that application (ASP Runner) use to retrieve this image from the store (ex. http://test/download.asp?table=CassettoDigitaleDoc&field=Doc&key1=64)from the list.asp page, and I change manually the value of the Key1=, I could open files related to other records not of mine.
What can I do to protect my data? May I use another solution/Method in ASP Runner?
Thank you

M


For one you should not have you web server set to list
For two you need to use the security feature if this image belongs to another user it will not allow them to pull it up..
Under Security > advanced "allow users to see and change others data" - you will need something that identifies users like an id number that ties to them.
lefty 10/1/2014

Use Advanced security for this purpose and put the files folder outside your root in a private folder. In asprunner that is what the mfhandler file can do for you .
if not bValue(isPDF) then

add_nocache_headers

end if

asp_include ("include/" & CSmartStr(GetTableURL(strTableName))) & "_variables.asp",true

if @BUILDER.bCreateLoginPage##

if IsEqual(requestAction,"POST") then

havePermission = bValue(CheckSecurity(Session(("_" & CSmartStr(strTableName)) & "OwnerID"),"Add")) or bValue(CheckSecurity(Session(("" & CSmartStr(strTableName)) & "OwnerID"),"Edit"))

else

doAssignmentByRef havePermission,CheckSecurity(Session(("" & CSmartStr(strTableName)) & "_OwnerID"),"Search")

end if

if not bValue(isLogged()) and not IsEqual(pageType,PAGE_REGISTER) or not bValue(havePermission) then

asp_header "Location: login.asp"

response.end

end if
I have had this problem before with being able to type url . So absolute path into a private folder and advanced securtiy should do this.
M
 		marcove author 10/2/2014



For one you should not have you web server set to list
For two you need to use the security feature if this image belongs to another user it will not allow them to pull it up..
Under Security > advanced "allow users to see and change others data" - you will need something that identifies users like an id number that ties to them.
M
 		marcove author 10/3/2014



Use Advanced security for this purpose and put the files folder outside your root in a private folder. In asprunner that is what the mfhandler file can do for you .
if not bValue(isPDF) then

add_nocache_headers

end if

asp_include ("include/" & CSmartStr(GetTableURL(strTableName))) & "_variables.asp",true

if @BUILDER.bCreateLoginPage##

if IsEqual(requestAction,"POST") then

havePermission = bValue(CheckSecurity(Session(("_" & CSmartStr(strTableName)) & "OwnerID"),"Add")) or bValue(CheckSecurity(Session(("" & CSmartStr(strTableName)) & "OwnerID"),"Edit"))

else

doAssignmentByRef havePermission,CheckSecurity(Session(("" & CSmartStr(strTableName)) & "_OwnerID"),"Search")

end if

if not bValue(isLogged()) and not IsEqual(pageType,PAGE_REGISTER) or not bValue(havePermission) then

asp_header "Location: login.asp"

response.end

end if
I have had this problem before with being able to type url . So absolute path into a private folder and advanced securtiy should do this.


Thank You John
I already use absolute path.

Just a question about where i need to put this code.
Pls could you explain about it.
regards

M