I have an online photo archive. My webpage is password protected but I have not yet protected the photo folder to stop people direct linking the photos by URL. All the photos are uniquely named so it is a little hard to guess... but if somebody wanted to guess, they can - and I don't want them to.
How can I stop them from doing this? Is there a way to show a custom webpage if they do try this, that's says "Oi, don't steal!" or similar?
I have a windows dedicated server with administrator access via remote desktop. The only thing that should enter that folder is a script, nothing else.
Many thanks
Do you mean to say you have enabled basic authentication on the folder containing the images? If that is the case no user should be able to guess, or browse the directory contents without putting in username and password first, otherwise they will get a 401 unauthorized error.
You can check the referrer. It can be easily defeated but most people likely wont care enough to do so. Here is some more detail about that http://davidwalsh.name/prevent-image-hotlinking
For password protecting a portion of your website you can also use .htaccess files - http://weavervsworld.com/docs/other/passprotect.html
I dont know how to do either of these in IIS, apologies.
Related
This morning I logged onto my website and shockingly I found that it just spit out error messages and some kind of upload form was displayed. A form that basically uploads a file onto my server.
I logged into my server and had a look at the access log. It seems he accessed the function file of my wordpress theme, fully deleted the original and created an upload form out of it.
With that upload form he then uploaded the following file.
Edit: I had to copy the code to hastebin, it was too big to be posted here.
http://hastebin.com/itedinefiz.php
He named the file web-info.php. I did not run the file because I am afraid that it might do some harmful things to my site.
Could anyone tell me what this file does?
Anyway, I have restored the functions.php file of my wordpress theme and deleted that web-info.php file form the server and now it seems that the website is running again.
Oh and my guess he gained access to my website because my login credentials were very easy... very stupid of me :(
After doing a bit research this what I came up with.
The malicious file that I have posted above, was encoded using eval(gzinflate(base64_decode));
Thanks to http://ddecode.com/phpdecoder/ I was able to decoded it, here is the raw PHP file that the hacker left behind:
http://pastebin.com/fAEQn2j7
I ran the file on my local machine, holy crap! It's a full on rootkit. It has massive interface that covers pretty much anything to take over the entire server. It seems to let you browser the entire files on the server, run sql code, run php code, brutforce options, network option and so on.
I think the safest it to cancel the entire VPS that I am renting from Bluehost, a normal wordpress deinstallation won't do any good.
After uploading a normal jpg or png (anything) to the media library, we get the above error.
I've seen many posts on this topic and tried everything but still stuck.
I'm not the regular user, but I see dozens of other pictures have been uploaded, and suddenly we're getting this error.
I checked the server, there is disk space, the permissions for Uploads and Images folders are writable (777) and I've confirmed that I can upload through the Plex control panel. I also tried deactivating all the plugins.
There are a couple things I'm also curious about, but I'm not sure if they are related:
1) One said to make sure "Always use HTTPS" is checked, but I do not have that option which is talked about here: http://en.support.wordpress.com/https/
2) If I go to wp-admin/network/settings.php I get the WordPress message "You do not have sufficient permissions to access this page," even though I have a user with the Administrator role.
Is there another hidden user with greater permissions? Still not sure if that would help though, since everything was fine until recently.
Edit:
I found the cause, however I don't know why it happened or how to prevent it from happening in the future. The user for the 2013 folder, and a subdirectory for this month only, was set to Apache instead of ourusername like all the other folders. I don't know why this happened or how to prevent it from happening. I copied the folder and the user was by default set to ourusername which prevents the issue for now, but still wondering how to avoid this problem popping up again.
To get over this uploading an image error, you must make sure the permissions to this folder wp-content are set correctly.
ANSWER: The IUSR account should have read and write access. (Works for Plesk IIS and others)
Do not create the folders yourself in the WordPress area!
I have a requirement to check that all the hyperlinks still work on a password protected, private website. What's the best way of doing this?
The site is mix of HTML and ASP.NET Webforms.
EDIT: Sorry - I don't think this question was clear.
I need something like this:
http://validator.w3.org/checklink
But for a site hidden behind a user/pass form. I don't mind doing something programmatically or purchasing something if it's reasonable.
You should seriously look at the unix command line tools to do this. Esp wget
take a look at the --spider option in combination with the --user and --password options...
Also take a look at curl or libcurl+php
There are two things that are not terrible clear about your question.
First, what sort of user/password are required. These can be POST values or they can be the username and password from the http protocol. Which do you want? There are several ways to provide a username and password to a website, and whatever solution you use has to work with your website. That means that you have to have a very accurate understanding of which method you are using. Just the fact that it has a username and password is not nearly enough information.
Second it is unclear what you mean by "links still work" do you mean internal links that will or will not work based on the proper functioning of your application, or do you mean links to public Internet sites that happen to be on a password protected site?
I am assuming the later with this answer. But if you meant the former then you should look into one of several web application test suites that have recently come available.
HTH,
FT
Rel Software's Web Link Validator works quite happily with Forms Auth based sites - we've been using it on client sites for some time now.
The main things to watch out for are:
Send the link checker to your Login Page first.
Ensure you tell it to ignore all Logout URLs (so it doesn't inadvertently log itself out).
I enjoy using SimpleTest for testing my own websites, but there's no built-in link checker.You could use it to navigate the login and fetch the page body. You'd then parse the content using regular expressions to find all links, and use SimpleTest again to verify those links (and even crawl them to verify recursively).
Of course, using cURL (or libcurl with your language of choice) gets you pretty close, too.
You just need to authenticate the WebRequests ...
Where are you stuck?
-- Edit
Well, it depends on what you mean by 'password protected'. How do is the login scheme implemented?
You can do this using Apache httpclient has the features
I'm creating an ASP.NET web application to schedule tasks on our server from a remote location using a .NET Wrapper for Scheduled Tasks. However, I'm stuck.
The user needs to be able to browse the file system on the server to retrieve a "file to run" for the new task that the user's creating in this application. I need to get the filepath/filename and pass it into the .NET wrapper.
I've tried using HTMLInputFile, but I haven't found a way to make that work for me.
Any help is appreciated.
Thanks
Update:
For this project, we've decided to simply list the executables in a dropdown box that would be available to users since they don't really need total access to the file system, just for security's sake.
HTMLInputFile is used to browse the client's file system and upload a file to the server. It isn't used to browse the server's file system.
You will need something quite different. You will need some server side code to display the server side folder structure to the user via the browser.
There is an example of a basic implementation of this here.
Update:
With that sample, the path that you replace "yourfolderHere" with needs to be a virtual path, rather than an absolute path. So for example "C:\Inetpub\wwwroot\uploads" won't work, but "uploads" will work.
I hope it goes without saying that there are serious security issues to think about when implementing something like this.
The HTMLInputFile will only work on the client-side machine.
You need to write a filesystem browser in ASPX/HTML that browses on the server-side.
Shouldn't be that hard to do.
You can't use the <input type="file" tag
This brings up a client-side dialog that browses the client machine.
As far as I am aware you need to create your own 'browser'.
eg You could use the My.Computer.Filesystem classes to retrieve a list of files in a folder and show those on the webpage. The user then selects the relevant file and posts a response back to the server.
You can use System.IO.Directory to get directories and files. These can be displayed in a number of ways. A simple browser / file selection should be possible in less than 50 lines of code.
Also be aware that you may need to grant extra permissions to the user that your web app runs as so the file system is accessible.
There are also various security implications around this, so don't grant access to everything unless you really need this.
Let's say we have a web site with a CF app that was written in-house.
Assume that:
Server 2003 IIS6 or 2008 IIS7 will be used
ColdFusion 8 will be used
Directory browsing is denied
SSL is required to connect
The account login process is secure (yeah I know that is a whole other
ball of wax but that concept is discussed ad nauseum on the web).
Say I have a file at https://domain.com/folder1/folder2/ with a name like picture92352.ext imagine it as a jpg or pdf or whatever. The entire path between the domain name and the file varies widely in naming structure, depth, etc. Files are not all lumped together in one folder.
The app restricts links by user such that a user would have to have access to that file to find it in the first place but as it stands now if a person knew the full URL to that file they could retrieve it without logging in to the app. It's the classic security by obscurity situation. A random person isn't likely to find a file they shouldn't get to but once someone is given access they know how to access it from another PC where their actions might not be traced back to them.
How do I restrict access to these files before someone logs in and still make them accessible to outside users after they log in? Is there a way to do it with permissions only or is the only answer to have code dynamically moving files around at the time of the request or is there some obvious step I'm not even thinking of?
Let me clarify this slightly. No matter how the file is presented on a page a user can use the browser IE, Firefox, etc to examine the URL the file comes from. If the image is a link there is always copy shortcut in the right click menu for IE and the same functionality in FF is called copy link location. If the image is displayed inline as part of the page an IE user can right click and choose properties to see the URL, in FF the same functionality is present to see properties but there is an even quicker more convenient option labeled copy image location. Once a user knows the URL to a file if the location or file name doesn't change they can use that URL without authenticating in the CF app.
If I change the NTFS/share permissions so that IUSR can't see the content then my CF app and IIS can't push it. What strategy do I use to provide the file in the CF app that doesn't leave this hole open?
You could write a CFM page that serves up the images. Then you just make sure they are authenticated inside the CFM.
<!-- something like this -->
http://localhost/GetFile.cfm?file=foobar.jpg
In GetFile.cfm, you would do something like:
<!-- the filename part is what the browser will pre-popualate the file name in the download dialog as -->
<CFHEADER name="Content-disposition" value="attachment;filename=picture92352.ext">
<CFCONTENT type="text/plain" file="\\fileserver\folder1\folder2\picture92352.ext">
Take a look at the various MIME types.
If you wanted to do something similar but keep a more natural URL, I think you would need to leverage the Java servlet underpinnings of ColdFusion to create a handler for any URL matching a certain pattern.