Re: Extened - Re: securing sensitive information in CGI scripts
> > Why do you need to store them there? If you can answer that for us, we can give you much better > advice on how to secure it. Good point I should have included in the question itself. Well many time we don't get acess to directries outside the website root. Expecially in case of shared servers. Regards Rajeev - Original Message - From: "Curtis Poe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 05, 2001 11:53 PM Subject: Re: Extened - Re: securing sensitive information in CGI scripts > --- Rajeev Rumale <[EMAIL PROTECTED]> wrote: > > I need to store some uploaded files from the "visitors" into some > > directories which are inside website root. > > Rajeev, > > Why do you need to store them there? If you can answer that for us, we can give you much better > advice on how to secure it. > > Cheers, > Curtis "Ovid" Poe > > = > Senior Programmer > Onsite! Technology (http://www.onsitetech.com/) > "Ovid" on http://www.perlmonks.org/ > > __ > Do You Yahoo!? > Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger > http://im.yahoo.com > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extened - Re: securing sensitive information in CGI scripts
--- Rajeev Rumale <[EMAIL PROTECTED]> wrote: > I need to store some uploaded files from the "visitors" into some > directories which are inside website root. Rajeev, Why do you need to store them there? If you can answer that for us, we can give you much better advice on how to secure it. Cheers, Curtis "Ovid" Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) "Ovid" on http://www.perlmonks.org/ __ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extened - Re: securing sensitive information in CGI scripts
This is a very different security question. Basically I think there are two major classes of solution. One is based on randomness and the other is based on a harder core ACL check in the CGI itself and requires the CGI control access to the file more tightly. In Detail: One way which isn't the most secure is to generate random directories to place these files in and then put the file in these random directory names for download. Unless a hacker guesses correctly (eg use an MD5 hash is pretty strong) which is unlikely, they won't be able to get a file of someone else's without knowing the session key. This is subject to brute force checking and is potentially breakable through other means. The more secure way is to store the file outside the document tree and check a database to see if the authorized user can access that particular uploaded file. If so, then the CGI program itself should open the file and present it back to the user. Otherwise, no dice. At 10:32 AM 9/5/2001 +0800, Rajeev Rumale wrote: >Greetings to all, > >This is really a good thread we have. > >How ever as the title is not restricting to database security. I would like >to add my concern to it. > >I need to store some uploaded files from the "visitors" into some >directories which are inside website root. > >Since the files submited are confidential info We need to protect it from >people directly accessing the files depending upon the ownership rights (the >actual owner, site admin, site operator, other authorised user). > >Any suggestions for same . > >Thanking in advance. > >Rajeev Rumale > > > > >-- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] __ Gunther Birznieks ([EMAIL PROTECTED]) eXtropia - The Open Web Technology Company http://www.eXtropia.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]