security suggestion

[mail2272]

Hello,

can You please add an .htaccess file in the "files" folder as default in the script package ?
I know we can add it later, but it would be nice to have it as a part of the security.

This will disable direct download by using the url: http://ourdomain.com/files/somefile.zip etc....

I am aware that uploaded files have an "hashed" name which is difficult to guess,
but anyway it`s better to disable the direct file download.

the content of that .htaccess code is:

Order deny,allow
Deny from all

I know that we can also change the file location and use a location outside of the site root, but why bother
when we can just use the files folder and be secure at the same time ..

Thank You

 

[ysmods]

You can also rename the /files/ directory and edit the following line in _config.inc.php

define("_CONFIG_FILE_STORAGE_PATH",     _CONFIG_SCRIPT_ROOT . '/files/');

Making the folder something totally random such as /4jtsf85gu90gu9op9guj953/ will make it even more difficult

 

[mail2272]

Making the folder something totally random such as /4jtsf85gu90gu9op9guj953/ will make it even more difficult

Actually not, because I saw couple "scanners" that could scan the entire web site root and all of it`s folders...
Cannot remember the name of these scanners but I saw it.. so it is possible to find out the folder name,
regardless of which name you choose, that`s why I mentioned the .htaccess apache protection...

Or choose an location outside of the web site root...

Take for example google index engine (robots) they are scanning entire web site root...
I know that we can protect the web page from google and other search engines by creating a robots.txt or even trough .htaccess, but my point was that web site CAN be scanned very easy..

So protect the "files" folder with an htaccess or move the files outside of the root...

I also asked Adam to add a "password" protection for the files, so we can set a password for uploaded file or even set the password at the same time we add an file for upload...

It would be also good idea in addition to password protection add a FILE id protection as well, so when users
will download a protected file, they have to know the password AND the random FileID as well..
this is just for extra security....

And use SSL of course ...

If you ask me, it is NOT enough to just share the files we need an option to share it securely as well...

 

[ysmods]

Fair point.

I personally use the .htaccess & robots.txt methods, plus I force the use of SSL via .htaccess.

I do like the password protection on the files idea, should be a handy feature if it gets added.

 

[mail2272]

Password file protection will be added, Adam agreed with it...
There is a lot of companies out there who will only share the files if the site uses the SSL and
file protections...

I will install this script and put it in the production after Adam implements the password protection,
but before I release it officially I will lock it down with .htaccess files, protect the admin login page etc...

I have also suggested the one-time-password for user login at least as an option in the Admin settings for those
who will use this feature, it protects against brute-force-attack ..

 

[ysmods]

A captcha on the login page would also protect against brute force attacks.

And increasing the default password length in the createPassword () function would increase security.
Currently it defaults to 7 alphanumeric characters, increasing that to 12 and including symbols would increase it even more.
As would adding a password salt. (I have requested this previously).

 

[mail2272]

yes a captcha code does the same, I agree, but using captcha I think that script depends on google services if I am not wrong ? one-time-password is more internal function integrated in the script it self in script own database table ...

that`s why I mentioned it... I do not like to depend on external services when running a script..

 

[ysmods]

Or keep the password the same for each login, and use a one time login key which gets emailed to the user each time they log out

Maybe make it a choice for the admin to decide which method to use?

Have a setting in the site config to use:
reCaptcha - least secure as it has been cracked and can be stupidly difficult and annoying to read
One time passwords - secure as each password expires after one use
One tine login key - secure as it changes each time a use logs out.
Other captcha (such as solvemedia or keyCAPTCHA) - 2nd most secure due to these not being cracked yet, but password is not changed each time the use logs in.
Maybe a 4th using an in-build custom captcha class.