Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ASP IIs directory protect

Posted on 2013-01-22
4
Medium Priority
?
436 Views
Last Modified: 2013-02-13
I have these 2 files firs called lector.asp:

<style type="text/css">
<!--
.Estilo1 {font-family: Arial, Helvetica, sans-serif}
-->
</style>
<span class="Estilo1">Selectcourse:</span><br />
<%
Response.Buffer= True

dim testcourse, testcn, archivo1

testcn=Request.QueryString("testcn")
testcourse=Request.QueryString("testcourse")


if testcn<>"checado" then response.redirect "error.html"


directorio_protegido= "C:\inetpub\wwwroot\proteccion\"


'response.redirect "lector2.asp?testcn=checado&testcourse="& testcourse& "/runfile.html"
%>

<body onLoad="javascript:document.SSLForm.submit();" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" rightmargin="0"> 

<form name="SSLForm" method="POST" action="lector2.asp">
    
<input type="hidden" name="testcn" value="checado">
     
<input type="hidden" name="testcourse" value="<%= testcourse %>">



</form>  

</body>

Open in new window


Second called lector2.asp:

<%
Response.Buffer= True

dim testcourse, testcn, archivo1

testcn=Request.Form("testcn")
testcourse=Request.Form("testcourse") & "/runfile.html"


if testcn<>"checado" then response.redirect "error.html"

 

url_protegido = "http://" & Request.ServerVariables("HTTP_HOST") & "/proteccion/" & testcourse







Dim xml, bData, strWmaUrl, rhead1, rhead2


Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP")
xml.Open "GET", url_protegido, False
xml.Send()

bData = xml.ResponseBody
rhead1 = xml.getResponseHeader("Content-Length")
rhead2 = xml.getResponseHeader("Accept-Ranges")
Set xml = Nothing


termina = LCASE(right(url_protegido,3))



select case termina
       case "gif"
           Response.contentType ="image/gif"
       case "jpg"
           Response.contentType ="image/jpeg"
       case "peg"
           Response.contentType ="image/jpeg"
       case "png"
           Response.contentType ="image/png"
       case "bmp"
           Response.contentType ="image/bmp"
       case "xls"
           Response.contentType ="application/x-excel"
       case "ptx"
           Response.contentType ="application/ms-powerpoint"
       case "zip"
           Response.contentType ="application/zip"
       case "php"
           Response.contentType ="application/x-httpd-php"
       case "zip"
           Response.contentType ="application/zip"

       case "pdf"
          Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".pdf"
           Response.contentType ="application/pdf"

       case "tml"
           Response.contentType ="text/html"  
       case "htm"
           Response.contentType ="text/html"  
       case "doc"
           Response.contentType ="application/msword"
       case "ocx"
           Response.contentType ="application/msword"
       case "mp3"
           Response.contentType ="audio/x-ms-wma"
           Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".mp3"
       case "wma"
           Response.contentType ="audio/x-ms-wma"
           Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".WMA"
       case else
           Response.contentType ="text/html; charset=iso-8859-1" 
End Select



Response.AddHeader "Content-Length", rhead1
Response.AddHeader "Accept-Ranges", rhead2


Response.BinaryWrite(bData)


%>

Open in new window


Then we can make many sudbirs in the same route for an example let´s create a subdir course1 in the same route of that 2 files inside that dir will be an html page with main launcher called: runfile.html
Now if you launch the first link like this and supposing we are in local no problem with the is just needed to be inside IIs:
http://127.0.0.1/proteccion/lector.asp?testcn=checado&testcourse=course1

Now if you see the http link has the same name in variable testcourse than the dir name we made what it does the program when we launch that link is go to dir we made course1 and run the file runfile.html all ok is working perfect but I want to block the access from this link for an example:

http://127.0.0.1/proteccion/course1/runfile.html

In this last link if the user use that link can does the same than the first link enter to course1 and see the file runfile.html I want to block access if the user enter like second link only to see the course1 and the file runfile.html must be called from first in other words:

http://127.0.0.1/proteccion/lector.asp?testcn=checado&testcourse=course1

This link is the only way to enter to see that how can I do that to protect the script you are looking in the 2 files?

I don´t know if we can make via Iis or maybe an script I hope someone can help because the script is very important and we need to avoid the users see content in cause launch in other ways.
Thank you
0
Comment
Question by:coerrace
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 38865879
I think I hear what you are trying to do here, so here is a suggestion:


1. you can do this via Javascript:
if (document.referrer != "") {
   var referringURL = document.referrer;
   var local = referringURL.substring(referringURL.indexOf("?"), referringURL.length);
   location.href = "http://page.com/login" + local; 
}

Open in new window


(problem here is the client needs to have JS enabled)

2. You can design your app in such a way as to have only one way to get to
http://127.0.0.1/proteccion/course1/runfile.html in each directory.
Simply have a landing page the user has to click from to get to runfile.htm and have your asp code check for http referrer -  if the referrer is the landing page then they can load the page, if it is not then redirect them to another page.
0
 

Author Comment

by:coerrace
ID: 38866254
in what part I need to put your code?
Thank you
0
 
LVL 29

Accepted Solution

by:
becraig earned 2000 total points
ID: 38866276
I found an asp solution for you:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        If Request.ServerVariables("HTTP_REFERER") <> "http://www.somesite.com/page.aspx" Then
            'redirect to error page
        Else
            'allow page to process
        End If
End Sub  

Open in new window


Reposted from:
http://forums.asp.net/t/1240920.aspx
0
 

Author Closing Comment

by:coerrace
ID: 38886288
Is working thank you for the link.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Progress

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question