.

file access from a webserver - obscuring enough?

<<

sixstringartist

Newbie
Newbie

Posts: 3

Joined: Sun Apr 26, 2009 4:35 pm

Post Sun Apr 26, 2009 6:14 pm

file access from a webserver - obscuring enough?

I have a website that acts as a file server for another website but I only want users of the other website to access the files. My site is blank and has no mentioning of these files. Is that enough or is it possible for someone to get my website to tell them what files it has?
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Sun Apr 26, 2009 7:54 pm

Re: file access from a webserver - obscuring enough?

Security through obscurity is not typically recommended.

If the files are there, Internet-accessible, there will always be potential for someone to access them.

If you only want Server A and Server B to share the files, I would suggest you look into some sort of PKI implementation to encrypt the data that's shared so that only those servers can access it.

BillV
<<

sixstringartist

Newbie
Newbie

Posts: 3

Joined: Sun Apr 26, 2009 4:35 pm

Post Sun Apr 26, 2009 8:49 pm

Re: file access from a webserver - obscuring enough?

The other server acts as access control, permitting only certain users visibility to the links to the files on my server. These users connect directly to me to stream the files. My only concern is if there is a way to make my server tell others exactly what the filenames are enabling them to d/l freely. Is that a possibility?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Apr 26, 2009 9:12 pm

Re: file access from a webserver - obscuring enough?

I don't see why someone wouldn't be able to access the file on your server.  You didn't mention anything that would prevent that. 
~~~~~~~~~~~~~~
Ketchup
<<

sixstringartist

Newbie
Newbie

Posts: 3

Joined: Sun Apr 26, 2009 4:35 pm

Post Sun Apr 26, 2009 9:30 pm

Re: file access from a webserver - obscuring enough?

you are correct, anyone can download the files, but the links are embedded in another website with access restrictions. For this application, this is "enough" security for us so long as someone cannot easily get the server to reveal the files it has available for download. That is really what Im trying to determine. Im not an expert with apache so I dont know if what Im asking is possible.
<<

jimbob

Post Mon Apr 27, 2009 4:15 am

Re: file access from a webserver - obscuring enough?

At the very least you could consider using basic HTTP authentication. This would require setting up a .htaccess and .htpasswd file on the webserver (assuming you're using apache).

http://httpd.apache.org/docs/2.0/howto/auth.html

It's worth having a look at basic auth since it's fairly easy to get the hang of and implement.

This comes with the caveat that it's not a robust security mechanism but it's much better than using 'secret' URLs. They can too easily fall prey to insecure anonymous FTP browsing (I've seen this on some ISPs), mod_speling (http://httpd.apache.org/docs/2.0/mod/mod_speling.html) and other common features and pitfalls.

Jimbob
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Mon Apr 27, 2009 10:49 am

Re: file access from a webserver - obscuring enough?

This would bump up the security a bit, but not totally prevent unauthorized access. If you edited your .htaccess file on the file server an only allowed access if the refferer was your other site.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?yoursite.com [NC]
RewriteRule .* - [F]
twitter.com/timmedin | http://blog.securitywhole.com
<<

jimbob

Post Tue Apr 28, 2009 5:07 am

Re: file access from a webserver - obscuring enough?

timmedin wrote:This would bump up the security a bit, but not totally prevent unauthorized access. If you edited your .htaccess file on the file server an only allowed access if the refferer was your other site.


One thing to remember is that the referrer header is sent by the client i.e. the web browser. It therefore cannot be trusted as a security token. That said it is an additional barrier and I'm all for defense in depth  :)

Jimbob

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software