Security issue with files linked to a document (file name) field

seamaritime · May 7, 2020, 8:10pm

Dear all,
in some SC9 forms I use fields of the type Document (File Name). They are saved on the server (Linux) in the directory /_lib/file/docattachedfiles.

I figured out that the files can be accessed by entering the complete URL including file name in the browser address field.

Example: https://www.mydomain.xy/_lib/file/docattachedfiles/filename.pdf

The chmod settings for the directory are 755 and for all files 644. The owner is www-data.

I tried many combinations of owner root and also of chmod settings. But whenever the file is secured via URL it can not be accessed from within Scriptcase application.

Can anybody help, please?

Best regards,
Joerg

aducom · May 7, 2020, 9:04pm

This is a general issue which has to do with your php/webserver settings, not scriptcase. To download a file from any directory is a piece of cake on most systems, once you know the name and location.
As there are many, many solutions, I recommend looking at stackoverflow where this issue has been handled numerous times and offers a lot of solutions. You need to pick one that is applicable to you.

frank · May 7, 2020, 9:04pm

if your server is apache you can add the following to your htaccess:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www.)?localhost.*$ [NC]
RewriteRule .(pdf|doc|docx)$ - [F]

It allows to your application access to the files, but blocks the access from entering the full url.

Better combine with

<Files 403.shtml>
order allow,deny
allow from all
</Files>

Hope that helps!!

seamaritime · May 7, 2020, 9:04pm

Thank you. But Frank’s tip doesn’t help. It totally blocks the files from being downloaded via URL but blocks them from being downloaded by the software, too.
@Albert, can you please give me some guidance to find articles in stackowerflow. I can’t find any.
Best regards,
Joerg

frank · May 7, 2020, 9:04pm

may be another setting, my software can upload and download the files without problem, and blocks the access from downloading directly from url.

Mamede · May 7, 2020, 9:04pm

You can block access to all files within a folder using htaccess (as pointed above) and then create a PHP script to serve those files. It’s useful if you implement rules to serve those files, e.g., “user must be logged in and also the owner of the file”; otherwise it won’t make difference because anyone will still be able to access them only by having their URL. If you’re not implementing rules, you can just rename those files so they won’t be easily discoverable (e.g. using hash strings).