Preventing direct access to files in IIS 7 - pdf

I have a PHP application running on a Micrisoft IIS 7 server. The application shows PDF files on an iFrame, which contains user's sensitive data that I wouldn't like to be directly accessed by anyone that knows the file address.
So basically, I'm looking for a way to protect files from direct browser access or download, but still be able to show it on the application's iFrame.
I made some research with Rewrite rules, but since the "HTTP_REFERER" of an iFrame is empty, I couldn't find a good solution
Any suggestions for this?
Thanks in advance

Without seeing any of your code, or how your application works, I can only give suggestions based on how I think your app works.
Rather than showing the files themselves, with links directly to those files, you should consider changing your application so that the PHP reads in the directory, displays the file names (however you want them to appear), with links that go to a download.php page. The download page (after checking whether the user has permission to download the file) then loads the file into memory and serves it out as a response (with appropriate Content-Disposition and Content-Type headers).
Since your PHP application can read files directly within the web directory, you can set up rewrite rules to prevent accessing those files from the web; that way, the files can only be accessed by the PHP application, which doesn't rely on rewrite rules to access the drive.
This is how places like Source Forge can display an advertisement with a countdown that your file download will begin in 5 seconds.

Related

How to read files from anywhere with vue.js

I am trying to read files from my music directory on my PC.
I have tried doing it with the node.js file system module, but it is not working. How do I get it to work?😢
Just a late follow-up. It is possible to read and write files using HTML5 with the FileReader and saveAs(). The browser will open a file dialogue and let the user choose the file, so the user is aware of the file access. It is not possible to read or write to a file without the user's attention.
https://developer.mozilla.org/en-US/docs/Web/API/FileReader
As said by #flame in a comment, it's just impossible, because the browser never have access to the visitor's disk (do you imagine the security issue if it was the case ?).
Vue.js is a Front-end framework, so the application it produces only have access to what the browser has access to.

Show content of a zip file in a browser, rather than downloading it

I have a log server, where users upload archives and view their content online when needed. Currently the server unzips files, right after receiving them. Unfortunately, my peers consumed all the drive space I had. I can free up a lot of space, if there's a way of storing ZIP archives, but feeding them to users as HTML page (same as default Apache's file browser).
I know there are solutions relying on JS, like:
http://gildas-lormeau.github.io/zip.js/demos/demo2.html
https://stuk.github.io/jszip/
or I can unzip them on demand at server side and provide link to a temporary folder. However, some time ago I've heard a browser can view an archive content if proper headers are sent from Apache/nginx. Apache's mod-deflate doesn't help much here and I can't find other docs - perhaps it's not possible after all?
Cheers.

How to bypass red5 demo page on start up?

At present, I start up red5 in linux command line ./red5.sh and it runs the script. Then I go to http://localhost:5080 demos page to set up my camera and audio input and all works fine in testing the stream both on demo page and in swf of my webpage.
Question is, do I need to include some java and/or action script for the swf player to
bypass the red5 demo page so I can directly connect my input and stream in the code of the page? Also so only logged in webpage viewers can connect?
Overall wondering if there is a way of hiding the server stream from anyone not logged in to view it on my site? I understand in webapps folder somewhere there is the hosts list of IP but it would be impossible to know the IP of the viewers as opposed to unwanted viewers or bandwidth stealers.
I am trying to set up a site for poetry readings and make it so readers can record live to my server and then logged in viewers can view from my website. I am trying to figure out whether I must have that red5 page open and if that doesn't pose some kind of risk.
Found my own way of doing this just by removing and renaming files and folders.
If you go to usr/local/red5/webapps here lies all the directories for viewing when you go to default port 5080 so I simply installed the applications I needed and then took everything out of there except those applications I wanted and needed to run. I took out all and placed it in a folder in /var directory named it red5_movedstuff in case I want access to further applications later on.Then I renamed the applications I am using in webapps folder and kept admin folder to access them but I renamed my applications and had to importantly rename also in WEB-INF for each application name change.
Now if someone goes to myip:5080 they get a blank page and by changing names of applications I've hidden my directories beyond that including list of streams.

"Disabling" folder with WAMP / Joomla

I'm curious about a WAMP + Joomla feature...
On my project folder and within /www/, I have several Joomla folders that are accessible (features inside are usable) but when directly opened from the Web browser show no contents (but no error message is shown)... This is a behaviour I would like to make other folders have but I don't seem to be able to get it!
Let me explain a but further, folder called "CLI" if opened in web browser as:
.../components
returns a blank screen... But some of my modules are using content within, so folder is not restricted but contents are not visible through Web brower.
Now I have another folder:
.../clients
Which I would need to behave the same way as many modules of my site need this, but I can't afford to leave it "open" for users (if someone enters ".../clients" on their web browser, I need the output to be blank, same as the .../components folder above). Currently, if someone enters .../clients on a web browser, they can see all files within, this is a CRITICAL security bug for me.
I've succeeded to disable them by doing DENY FROM ALL in httpd.conf. However, this is not valid as it absolutely restricts everything within the folder, causing my modules to crash.
Hope you get the point, if not, happy to clarify :)
MANY MANY THANKS for your support!!!
PS - If possible, answer in a dummy way as I'm new to all of this Apache stuff.
The way Joomla returns a blank screen is by adding a blank index.html file in. Browsers prioritise a index.html file to display over the index.php file etc. So literally put in a index.html file in the subfolder containing:
<html>
<body bgcolor="#FFFFFF">
</body>
</html>

Why would .htaccess fire twice in IE when downloading a protected XLS file?

Certain directories are protected by Basic Auth using a .htaccess file on an older Apache 1.x server. Today a user pointed out that the username/password was requested twice for the file he had just posted - once when entering the directory to see the index, and then AGAIN when downloading the file. Finding this odd, I researched the usual problems with double-firing .htaccess authentication:
server name (http://server vs. http://www.server)
trailing slash (http://server/somedir vs. http://server/somedir/)
http vs https
No luck. Add to the confusion that Firefox/Chrome/Safari don't ask twice - only IE (6 and 7). Further investigation showed that this doesn't happen with PDF files - only Excel files - even blank ones.
Is Excel calling back to the server somehow that requires a second authentication? Why does it only happen in IE?
Not critical - but I'm very curious what could be causing this.
EDIT - I think bmdhacks nailed it. Watching the network traffic, Excel+IE fires back a second request with a different User Agent called "Microsoft Protocol Discovery"
I'm not sure about Excel, but Windows Media Player has a special interaction with IE where when IE requests a file with a MIME type that Windows Media Player owns, instead of handing the downloaded file over to WMP, it instructs Windows Media Player to download the file itself. This could result in requesting the file twice, once for IE to ask for the file, and a second time when WMP downloads it.
It's possible that Microsoft uses this mechanism in other products like Excel too. You might be able to discover this by looking at the User-Agent header submitted in the second request. In the Windows Media case, it actually changes from IE to WMP's User-Agent on the second request.