CODEWITHSUNDEEP
securityurl-rewritingasp-classiciis-7rule
amindomeniko
amindomeniko

Reputation: 429

How to prevent users from accessing files directly in the website root Directory

I am working with a classic asp website with the following setting:

I am dealing with two security issues.

1) Users are currently able to access files (txt, pdf) by entering let's say "http://MyWebsite.com/test.txt". How to prevent users from accessing non asp files this way?

2) There are a couple of folders (ex. uploads) where application needs to have full access to. but again the user should not be able to type the physical path to gain access to such files under these folders. How can I set this up?

In a way I would like to create a IIS URL Rule Rewrite that only shows files that have .asp page in it. So I could have http://LocalHost/DisplayPDF.asp?ThePDF and be able to view the PDF but I want to prevent the user to go and enter http://LocalHost/ThePdf.pdf

My speculation is I would need to configure IIS correctly. Any recommendation is appreciated.

Upvotes: 1

Views: 4678

Answers (4)

Garisson
Garisson

Reputation: 9

All you need:

  1. Open the IIS and click on the desired site.

  2. Select the MIME Types icon.

  3. Find and remove the line with ".pdf application/pdf".

After these steps, users will lose access to PDF files.

  1. Now you create a DisplayPDF.asp file in which you will throw the pdf file name, for example http://LocalHost/DisplayPDF.asp?filename=test.pdf Inside you will check if the user is authorized and if so, display the file in the browser.

If Session("ViewPDF") = "YES" Then

filename = Request.QueryString("filename")

DestinationPath = Server.MapPath("/PDFFiles/")

If filename <> "" Then
    Response.Buffer = False
    Dim objStream
    Set objStream = Server.CreateObject("ADODB.Stream")
    objStream.Type = 1 'adTypeBinary
    objStream.Open
    objStream.LoadFromFile(DestinationPath & "\" & filename)
    Response.ContentType = "application/pdf"
    Response.Addheader "Content-Disposition", "inline; filename=" & filename
    Response.BinaryWrite objStream.Read
    Response.Flush
    objStream.Close
    Set objStream = Nothing
End If

End If

  1. After that, you need to replace all links in the application with new ones, for example:

http://LocalHost/test.pdf to http://LocalHost/DisplayPDF.asp?filename=test.pdf

Upvotes: 0

Dave Mroz
Dave Mroz

Reputation: 1489

You can remove the MIME type from IIS which will prohibit IIS from serving any file types that you don't want.

https://technet.microsoft.com/en-us/library/cc770504(v=ws.10).aspx

Upvotes: 0

Kul-Tigin
Kul-Tigin

Reputation: 16950

I'd make it work by creating a url rewrite rule for root directory files (to get rid of the inheritance-related problems) and removing static file handlers for subdirectories.

Place the following web.config in your application's root directory or modify existing one accordingly and do not forget to move the rule to an appropriate position if there are others.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
        <system.webServer>
            <rewrite>
                <rules>
                    <rule name="ROOT_FILE_CHECK">
                        <match url="^[^/]*$" />
                        <conditions>
                            <add input="{DOCUMENT_ROOT}\{R:0}" matchType="IsFile" />

                            <!-- allowed extensions -->
                            <add input="{REQUEST_FILENAME}" pattern="\.asp$" negate="true" />
                            <add input="{REQUEST_FILENAME}" pattern="\.allowed1$" negate="true" />
                            <add input="{REQUEST_FILENAME}" pattern="\.allowed2$" negate="true" />
                            <!-- allowed extensions -->
                        </conditions>
                        <action type="CustomResponse" statusCode="404" statusReason="Not Found" statusDescription="." />
                    </rule>
                </rules>
            </rewrite>
        </system.webServer>
</configuration>

And place the following web.config in each subdirectory you want to prevent access to files. This one removes static file handlers so static files in that directory become inaccessible.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers>
            <remove name="StaticFile" />
        </handlers>
    </system.webServer>
</configuration>

Upvotes: 3

Dijkgraaf
Dijkgraaf

Reputation: 11527

For stopping users accessing non asp files you need to move those files from the root to a folder outside of the accessible web folders.

You can then either map a virtual directory with a different security policy to that new folder. Or if you want to give indirect access to those files you need a page that will then allow them to download or display the contents if needed.

For the upload folder you should be able to map folders in code that aren't part of the website and have the code upload to them.

Upvotes: 0

Related Questions