Comments on: Secure downloads

By: John

John — Tue, 30 Nov 1999 00:00:00 +0000

Dont suppose it would be possible to get this code I am trying to do something similar but am new to php etc.I want clients to be able to download a file after they have gone through an order process.

would this work or does anyone know of a script that would.

Thanks John

By: Hadley

Hadley — Tue, 30 Nov 1999 00:00:00 +0000

It’s fairly easily to fake a referrer. How does your server know what page I last visited? The browser I’m using sends a http referer header saying where I came from. Obviously the browser doesn’t need to tell the truth.

I think a more secure way would be thave an array of downloadable files, and then specify numerically which one to download.

Hadley

By: Jennifer

Jennifer — Tue, 30 Nov 1999 00:00:00 +0000

actually - since it’s checking for the referrer first - how would this even be possible? How does one “fake” a referrer?

By: Jennifer

Jennifer — Tue, 30 Nov 1999 00:00:00 +0000

Ahh.. good point.
Would you just strip them out? (therefore causing the hack to just have an error?)
or if they’re in there, it means it’s a hack attempt - so just forward the person out to someother page…?

By: Jason D-

Jason D- — Tue, 30 Nov 1999 00:00:00 +0000

What you need to parse for in the requested file var is .. since someone could post a link in any dynamically generated portion of the site to circumvent the referer check and start traversing the tree on the server and picking up different important OS files and having them sent to them. In the example code you have I could post

../../../../etc/passwd as my requested download and have it send me your passwd file and see who’s got login accounts on your box and start attacking them.

By: Jayant

Jayant — Tue, 30 Nov 1999 00:00:00 +0000

In that case you can have added security by not disclosing the filename
as in
header(”Content-Disposition: attachment; filename=\”$p\”");

instead have
//
code here to get only the file extension of $p
stored in $ext
//
header(”Content-Disposition: attachment; filename=\”".rand().”.$ext\”");

make sure you do srand() with timestamp, to generate a unique random number each time. they will think the file name as this

By: Jennifer

Jennifer — Tue, 30 Nov 1999 00:00:00 +0000

The problem(s) I had (that’s really what the solution above is for) was a) it was on a windows server b) the downloads had to be purchased first/were for customers only.

By: Jayant

Jayant — Tue, 30 Nov 1999 00:00:00 +0000

You can also protect files (from non referers) using the process of hot-linking, requires apache.

This can apply to all images (image protection), direct linking to pages/files you dont want ppl to directly link

By: Jennifer

Jennifer — Tue, 30 Nov 1999 00:00:00 +0000

If anyone needs it - I can “clean up” this code so it’s usable to more than just me. Let me know…