[OWASP_PHPSEC] Secure PHP Static HTTP Response Handling Library (aka File Downloader)

Abbas Naderi abiusx at owasp.org
Mon Jun 24 15:31:13 UTC 2013


Yes there is a downloader module in the core libraries. That is exactly what we need, but with a much better interface and functionality, i.e I have put everything for that module in one function, having them separated by concepts is a must.
-Abbsa
On Tir 3, 1392, at 7:59 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com> wrote:

> Is this functionality implemented in jFramwork ?? If yes, where ?
> 
> Secure PHP Static HTTP Response Handling Library (aka File Downloader)
> Currently web servers are largely dependent on “security by obscurity”. They feed their clients with static files by generating a large random number for that file in hopes that until the hackers are unable to find the long random number, their files are safe. However OWASP has pointed out that for users who can save a particular location/URL of file can also access the file afterwards because they now know the random numbers and the file location is static. This operation should be handled by the application and not the web server, otherwise no access control check, bandwidth enforcement and other similar necessity could be performed at this point (a common flaw in many applications).
> (Fig1: File location for 1st try)
> 
>  
> (Fig2: File location for 2nd try)
> 
>  
> As we can see that in both the attempts, we see the same random number is used for this file which might be dangerous. Our library implementation will handle this. Also, functions such as “resume download” used by download managers are directly affected the way these functions are implemented. Proper implementation of this feature is of vital importance, otherwise download managers and old browsers will be unable to use the application properly.
> 
> -- 
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
> _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130624/4cd586b6/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list