HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 67 guests and 1 member online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Web Applicationsarrow file access from a webserver - obscuring enough?
EH-Net
May 23, 2013, 03:57:53 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: file access from a webserver - obscuring enough?  (Read 5530 times)
0 Members and 1 Guest are viewing this topic.
sixstringartist
Newbie
*
Offline Offline

Posts: 3


View Profile
« on: April 26, 2009, 06:14:23 PM »
I have a website that acts as a file server for another website but I only want users of the other website to access the files. My site is blank and has no mentioning of these files. Is that enough or is it possible for someone to get my website to tell them what files it has?
Logged
BillV
Hero Member
*****
Offline Offline

Posts: 1892


View Profile WWW
« Reply #1 on: April 26, 2009, 07:54:01 PM »
Security through obscurity is not typically recommended.

If the files are there, Internet-accessible, there will always be potential for someone to access them.

If you only want Server A and Server B to share the files, I would suggest you look into some sort of PKI implementation to encrypt the data that's shared so that only those servers can access it.

BillV
Logged
sixstringartist
Newbie
*
Offline Offline

Posts: 3


View Profile
« Reply #2 on: April 26, 2009, 08:49:50 PM »
The other server acts as access control, permitting only certain users visibility to the links to the files on my server. These users connect directly to me to stream the files. My only concern is if there is a way to make my server tell others exactly what the filenames are enabling them to d/l freely. Is that a possibility?
Logged
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #3 on: April 26, 2009, 09:12:35 PM »
I don't see why someone wouldn't be able to access the file on your server.   You didn't mention anything that would prevent that.   
Logged
~~~~~~~~~~~~~~
Ketchup
sixstringartist
Newbie
*
Offline Offline

Posts: 3


View Profile
« Reply #4 on: April 26, 2009, 09:30:37 PM »
you are correct, anyone can download the files, but the links are embedded in another website with access restrictions. For this application, this is "enough" security for us so long as someone cannot easily get the server to reveal the files it has available for download. That is really what Im trying to determine. Im not an expert with apache so I dont know if what Im asking is possible.
Logged
jimbob
Guest
« Reply #5 on: April 27, 2009, 04:15:07 AM »
At the very least you could consider using basic HTTP authentication. This would require setting up a .htaccess and .htpasswd file on the webserver (assuming you're using apache).

http://httpd.apache.org/docs/2.0/howto/auth.html

It's worth having a look at basic auth since it's fairly easy to get the hang of and implement.

This comes with the caveat that it's not a robust security mechanism but it's much better than using 'secret' URLs. They can too easily fall prey to insecure anonymous FTP browsing (I've seen this on some ISPs), mod_speling (http://httpd.apache.org/docs/2.0/mod/mod_speling.html) and other common features and pitfalls.

Jimbob
Logged
timmedin
Sr. Member
****
Offline Offline

Posts: 469



View Profile WWW
« Reply #6 on: April 27, 2009, 10:49:57 AM »
This would bump up the security a bit, but not totally prevent unauthorized access. If you edited your .htaccess file on the file server an only allowed access if the refferer was your other site.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?yoursite.com [NC]
RewriteRule .* - [F]
Logged
twitter.com/timmedin | http://blog.securitywhole.com
jimbob
Guest
« Reply #7 on: April 28, 2009, 05:07:47 AM »
Quote from: timmedin on April 27, 2009, 10:49:57 AM
This would bump up the security a bit, but not totally prevent unauthorized access. If you edited your .htaccess file on the file server an only allowed access if the refferer was your other site.

One thing to remember is that the referrer header is sent by the client i.e. the web browser. It therefore cannot be trusted as a security token. That said it is an additional barrier and I'm all for defense in depth  Smiley

Jimbob
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.053 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.