Web Application Security
RE: Directory Scanner Feb 14 2012 02:07PM
Calderon, Juan Carlos \(GE, Corporate, consultant\) (juan calderon ge com)
Darn, you are correct Henry, I guess I just read too fast.

Refocusing the answer, There are 2 alternatives I would suggest

1. You can implement HTTP Digest/Challenge authentication (no BASIC
authentication please, unless you have SSL) on the files directory
2. If you have forms authentication, Implement a proxy page (as
suggested before) that will serve the actual document, save the
file-user relationship on a DB AND move the documents to a non-Web (to
prevent direct access) and non-system folder (to prevent privilege
escalation).

If each document needs to be served to a different user or a group of
named users or a combination of both (they are private documents) then
option 2 is easier to maintain in my experience.

Regards, hope it helps
Juan C Calderon

-----Original Message-----
From: Henry Troup [mailto:htroup (at) gmail (dot) com [email concealed]] On Behalf Of Henry Troup
Sent: Monday, February 13, 2012 4:14 PM
To: Calderon, Juan Carlos (GE, Corporate, consultant)
Subject: Re: Directory Scanner

I thought the point was that document_1 implied that someone might
request _2 through _65535 and forcibly enumerate the documents.

Henry Troup, Ottawa, Canada
Sent from my BlackBerry 613-851-5095
htroup (at) acm (dot) org [email concealed]

-----Original Message-----
From: "Calderon, Juan Carlos \(GE, Corporate, consultant\)"
<juan.calderon (at) ge (dot) com [email concealed]>
Sender: listbounce (at) securityfocus (dot) com [email concealed]
Date: Mon, 13 Feb 2012 09:45:49
To: Alexander Pick<acpi (at) mac (dot) com [email concealed]>; Thugzclub
Thugzclub<thugzclub (at) googlemail (dot) com [email concealed]>
Cc: <security-basics (at) securityfocus (dot) com [email concealed]>; <webappsec (at) securityfocus (dot) com [email concealed]>
Subject: RE: Directory Scanner

I understand authentication to these documents is not an issue what is
an issue is directory listing. IIS prevents this by default so I assume
you are using Apache, Tomcat or another server. So the best way to
prevent this issue is to modify your .htaccess file to avoid listing
files:

Here is an example of how to use it
http://www.javascriptkit.com/howto/htaccess11.shtml

Regards,
Juan C Calderon

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Alexander Pick
Sent: Wednesday, February 08, 2012 3:11 AM
To: Thugzclub Thugzclub
Cc: security-basics (at) securityfocus (dot) com [email concealed]; webappsec (at) securityfocus (dot) com [email concealed]
Subject: Re: Directory Scanner

Another idea is to proxy your download URLs through a script and hide
the real files outside the web root.

If you do it in PHP it's pretty simple (header + read file + bit
security). Just make sure to make the script secure in terms of
directory transversal etc., many people hide their downloads for
security and create even bigger holes with bad scripts.
You can also add all sort of attack detection to it, like recording the
hit count of an IP to it and auto locking the downloads after a certain
amount.

Hope this helps.

greets,
Alex

> A question:
>
> Given a website URL like the below :
>
> http://www.companywebsite.com/resources/resources/whitepapers/document
> _1_wp.pdf
> http://www.companywebsite.com/resources/resources/whitepapers/document
> _arbinatryname__wp.pdf
>
> How can I protect somebody from enumerating the list of file on this
> "whitepapers" directory ? What tool can I use to make sure that I am
> adequately protected against this ?
> Cheers
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this
> guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how
to test, purchase, install and use a thawte Digital Certificate on your
Apache web server. Throughout, best practices for set-up are highlighted
to help you ensure efficient ongoing management of your encryption keys
and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f727d1
> ----------------------------------------------------------------------
> --
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus