limiting access to images/banning direct access

Hello everyone!

I have a PHP-based application (MediaWiki) installed on a Linux box
(CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password
protected; however, even without logging in one can view our images
and documents by simply typing in the full URL to it.

So here is my question: is there a way to ban Apache from displaying
files that the user has not been redirected to following a legitimate
login?

Thanks in advance.

Boris.

Re: limiting access to images/banning direct access

On Fri, 18 Jan 2008 10:39:39 -0800 (PST), Boris Epstein
wrote:

>Hello everyone!
>
>I have a PHP-based application (MediaWiki) installed on a Linux box
>(CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password
>protected; however, even without logging in one can view our images
>and documents by simply typing in the full URL to it.

Which means it is not password protected.

>So here is my question: is there a way to ban Apache from displaying
>files that the user has not been redirected to following a legitimate
>login?

Two possibilities:
1- use wiki software with better protection

2- redirect to a PHP script which only sends the requested
document or image if the session belongs to a logged in
user, and redirect to the login page if it doesn't, or if
there is no session at all.
Details can be found in the PHP docs and with a search on
Google.

>Thanks in advance.
>
>Boris.

HTH
--
( Kees
)
c[_] The greatest of faults is to be conscious of none.
(Thomas Carlyle) (#304)

Re: limiting access to images/banning direct access

On Jan 18, 2:06 pm, Kees Nuyt wrote:
> On Fri, 18 Jan 2008 10:39:39 -0800 (PST), Boris Epstein
>
> wrote:
> >Hello everyone!
>
> >I have a PHP-based application (MediaWiki) installed on a Linux box
> >(CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password
> >protected; however, even without logging in one can view our images
> >and documents by simply typing in the full URL to it.
>
> Which means it is not password protected.

Well, it is partially protected - the Wiki pages you can not see
without logging in first. However, if you just type in something like:
http://the_site/images/h/h8/sample_file.pdf

you can read the PDF.

>
> >So here is my question: is there a way to ban Apache from displaying
> >files that the user has not been redirected to following a legitimate
> >login?
>
> Two possibilities:
> 1- use wiki software with better protection
>
> 2- redirect to a PHP script which only sends the requested
> document or image if the session belongs to a logged in
> user, and redirect to the login page if it doesn't, or if
> there is no session at all.
> Details can be found in the PHP docs and with a search on
> Google.

Neither will work - if you type in the full URL to the image/PDF file
you bypass both the Wiki and the PHP engine.

>
> >Thanks in advance.
>
> >Boris.
>
> HTH
> --
> ( Kees
> )
> c[_] The greatest of faults is to be conscious of none.
> (Thomas Carlyle) (#304)

Re: limiting access to images/banning direct access

On Fri, 18 Jan 2008 11:47:15 -0800 (PST), Boris Epstein
wrote:

>On Jan 18, 2:06 pm, Kees Nuyt wrote:
>> On Fri, 18 Jan 2008 10:39:39 -0800 (PST), Boris Epstein
>>
>> wrote:
>> >Hello everyone!
>>
>> >I have a PHP-based application (MediaWiki) installed on a Linux box
>> >(CentOS 5, Apache 2.2.3, PHP 5.1.6). This application is password
>> >protected; however, even without logging in one can view our images
>> >and documents by simply typing in the full URL to it.
>>
>> Which means it is not password protected.
>
>Well, it is partially protected - the Wiki pages you can not see
>without logging in first. However, if you just type in something like:
>http://the_site/images/h/h8/sample_file.pdf

That's what I mean: it's not protected.

>you can read the PDF.
>
>>
>> >So here is my question: is there a way to ban Apache from displaying
>> >files that the user has not been redirected to following a legitimate
>> >login?
>>
>> Two possibilities:
>> 1- use wiki software with better protection
>>
>> 2- redirect to a PHP script which only sends the requested
>> document or image if the session belongs to a logged in
>> user, and redirect to the login page if it doesn't, or if
>> there is no session at all.
>> Details can be found in the PHP docs and with a search on
>> Google.
>
>Neither will work - if you type in the full URL to the image/PDF file
>you bypass both the Wiki and the PHP engine.

Not if you rewrite all URLs that point to the protected
files to that particular PHP script. I'm sorry I
mistakenly wrote redirect where I meant rewrite.

Additional measures:
In some situations you can afford to move the protected
files outside the DocumentRoot, but in a content
management system like a wiki that might be hard to do,
because the functions to upload contents would fail.
So I didn't mention that one.


>> >Thanks in advance.
>>
>> >Boris.

Good luck!
--
( Kees
)
c[_] Prune: A plum that has seen better days. (#416)

Re: limiting access to images/banning direct access

"Boris Epstein" wrote in message
news:1ce81d8d-9e2e-41e3-8a0a-923536f58a67@k39g2000hsf.google groups.com...
> So here is my question: is there a way to ban Apache from displaying
> files that the user has not been redirected to following a legitimate
> login?

Although it can be forged, you could check the HTTP_REFERER field to see if
the hostname it contains is your (virtual) host. If it's not, you should
probably serve a different resource in its place. This step should probably
be used in combination with other methods suggested.