| View previous topic :: View next topic |
| Author |
Message |
gsownsby
-
Joined: 03 Jun 2003
Posts: 71
Location: Chattanooga, TN USA
|
 Posted: Thu Jun 05, 2003 9:35 pm Post subject: Security - Anonymous Browsing - Can It Be Turned Off? |
 |
|
Generally for security purposes, we disable auto indexing so that if an index.htm-type document is not present, the web server does not generate a list of files contain in that directory. Abyss supports that fine.
However, can "anonymous browsing" be disabled, i.e., if a person knows or can predict or experiment with paths/filenames, they can bypass a secured directory and display a file. For instance, I have secured a folder (images) on the server and it properly generates a username/password challenge. If I know the path and type it in directly into the browser address line, example: http://www.testdomain.com/images/test.jpg I can see the image even though it is located in a secured folder.
I'll grant you that guessing at a filename could be grasping at straws in the dark hoping to get the white one BUT "security by obscurity" is generally not acceptable these days. If one adopts a naming convention for files within a website (which most professionals do), then it might not be too difficult to hit on the right path/filename to get to a supposedly "secured" file.
I have closed/relaunched the browser and can duplicate this condition. Is there a solution to this condition? Thanks.
Gary |
|
| Back to top |
   |
 |
os17fan
-
Joined: 21 Mar 2003
Posts: 531
Location: USA
|
| Posted: Thu Jun 05, 2003 10:30 pm Post subject: |
|
|
Do you mean by password protecting /images/ folder and also access the image within that folder with out displaying a password dialog, i don't think its possible , if im wrong please correct me so i can do that because i would like to do what your doing 8)
_________________
This web server is the best ! |
|
| Back to top |
  |
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Thu Jun 05, 2003 10:54 pm Post subject: Re: Security - Anonymous Browsing - Can It Be Turned Off? |
|
|
No server in the world can provide that kind of security for free.
You should write a script that serves that images. That script should use sessions, i.e. when a user logs on your web site, you create a session for it and it will be able to get the files. That way, a guessed URL won't work since no valid session will be available with it. This is the same mechanism that you have when browsing "My Yahoo" for example. Every one can browse http://my.yahoo.com and every one gets its own version of the page. That means that the URL is not the only identifier of the served objects, My Yahoo uses also the session variables which are hidden and identify each one of them.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
gsownsby
-
Joined: 03 Jun 2003
Posts: 71
Location: Chattanooga, TN USA
|
| Posted: Fri Jun 06, 2003 2:00 am Post subject: |
|
|
| os17fan wrote: | | Do you mean by password protecting /images/ folder and also access the image within that folder with out displaying a password dialog, i don't think its possible , if im wrong please correct me so i can do that because i would like to do what your doing 8) |
Yes, that's exactly what I meant. I protected the images folder but then opened a browser and typed in the exact URL including the domain name/images/imagename.jpg and it will display in the browser. I know in some web servers this is a setting that disables anonymous browsing like that but apparently Abyss doesn't do it right now. I can work around this condition but it could be an enhancement later. Our web servers at work do not allow you to bypass and jump straight to a known file so I know it is possible to control this in some web servers.
Gary |
|
| Back to top |
|
|
CapFusion
-
Joined: 18 May 2003
Posts: 617
Location: Lost in Abyss' Dungeon
|
| Posted: Fri Jun 06, 2003 5:40 pm Post subject: |
|
|
| os17fan wrote: | | Do you mean by password protecting /images/ folder and also access the image within that folder with out displaying a password dialog, i don't think its possible , if im wrong please correct me so i can do that because i would like to do what your doing 8) |
Yes, it work. I try it before and was amazed. I forgot all about this until gsownsby brought it up. If you know the specific file, you can simply enter the URL exactly and will show it. It was funny when that happen. All my IT friend make a joke out of it.
My friend use "Enterprise" as an example.
It just the same as "Enterprise" the starship from TV series call "StarTrak", can only enable it powerful shield as one side only. Like enable it Farward shield but the Aft Shield, Port Shield or StarPort shield is not on. So only the Front is protect and the rest is not protect.
Well built powerful ship but lack of defense is still the same as using it as a terget practice to be destroy. It still apply the same to Abyss. Lack of security and option will soon or later will catch up to be haunt and no matter how well it built. It should not be depend on third party to implement security but should implement your own to have better control.
_________________
CapFusion,... |
|
| Back to top |
|
|
|
