PDF Report Generator Security Issue

Scriptcase 8 Suggestions
#1

The PDF Report Generator gives instructions that under the Settings, you can choose PDF Destination. Even though you may pick “Browser” as the destination, the module still creates a temporary pdf file in _lib/tmp folder.

These files are not automatically removed and can build up.

The security issues comes if you do not know this and the PDFs are of potentially sensitive information. For a web application that is built with this system and deployed online, the files can now be directly accessed via the web by going directly to the folder.

Therefore, my suggestion to the development team is if “Browser” is selected, that would means that the PDF is dynamically generated and view able only in the browser (No temp PDFs).

As an aside: I have created my own custom PDF modules by creating a new Blank Application and accessing fPDF directly. In this way I have outputed the PDF file only to the browser without any files being saved in my system.

#2

Hello,

Agreed Paul! I will forward your suggestion to our development team.

Additionally, I recommend you to disable users from accessing those files. You can do it, by configuring on your apache something like this:

<directory /path/>


Options -Indexes … … …



</directory>

regards,
Bernhard Bernsmann

#3

Thank you Bernhard for passing this on.

The recommendation you have helps to not show the list of files within the directory, but the files are still there.

What we did was to include the directory listing block as well as created a cron for deleting the files in the directory.

Allow me to share with the rest of the users to help protect them:

Create an .htaccess file with the following line of code:

Options -Indexes

This will disable the directory view of the folder, so that they cannot see the list of files in the directory.
Upload the .htaccess file into the _lib/tmp directory.

Then create a cleaner script that is run via cron periodically to clean the directory.

In php, it would be something like:

$dir = “/home/account/public_html/application/_lib/tmp”;
$files = scandir($dir);

foreach ($files as $file) {
if(preg_match("/.(pdf|png)$/", $file)){
unlink($dir.’/’.$file);
}
}

We’ve added the png to the list of deleted files because the PDF Report module sometimes creates temp png graphics.