[OWASP_PHPSEC] Secure PHP Static HTTP Response Handling Library (aka File Downloader)

rahul chaudhary rahul300chaudhary400 at gmail.com
Mon Jun 24 15:38:40 UTC 2013


Can you explain in a paragraph how:
1) have you handled this problem ?
2) the flow of code is ?

Then it would be much easier for me to understand the code.


On Mon, Jun 24, 2013 at 11:31 AM, Abbas Naderi <abiusx at owasp.org> wrote:

> Yes there is a downloader module in the core libraries. That is exactly
> what we need, but with a much better interface and functionality, i.e I
> have put everything for that module in one function, having them separated
> by concepts is a must.
> -Abbsa
> On Tir 3, 1392, at 7:59 PM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
> Is this functionality implemented in jFramwork ?? If yes, where ?
>
>
>    1. *Secure PHP Static HTTP Response Handling Library (aka File
>    Downloader)*
>
> Currently web servers are largely dependent on “security by obscurity”.
> They feed their clients with static files by generating a large random
> number for that file in hopes that until the hackers are unable to find the
> long random number, their files are safe. However OWASP has pointed out
> that for users who can save a particular location/URL of file can also
> access the file afterwards because they now know the random numbers and the
> file location is static. This operation should be handled by the
> application and not the web server, otherwise no access control check,
> bandwidth enforcement and other similar necessity could be performed at
> this point (a common flaw in many applications).
> (*Fig1:* File location for 1st try)
>
>
> (*Fig2:* File location for 2nd try)
>
>
> As we can see that in both the attempts, we see the same random number is
> used for this file which might be dangerous. Our library implementation
> will handle this. Also, functions such as “resume download” used by
> download managers are directly affected the way these functions are
> implemented. Proper implementation of this feature is of vital importance,
> otherwise download managers and old browsers will be unable to use the
> application properly.
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>  _______________________________________________
> OWASP_PHP_Security_Project mailing list
> OWASP_PHP_Security_Project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130624/9969e379/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list