Solved

ASP IIs directory protect

Posted on 2013-01-22
4
428 Views
Last Modified: 2013-02-13
I have these 2 files firs called lector.asp:

<style type="text/css">
<!--
.Estilo1 {font-family: Arial, Helvetica, sans-serif}
-->
</style>
<span class="Estilo1">Selectcourse:</span><br />
<%
Response.Buffer= True

dim testcourse, testcn, archivo1

testcn=Request.QueryString("testcn")
testcourse=Request.QueryString("testcourse")


if testcn<>"checado" then response.redirect "error.html"


directorio_protegido= "C:\inetpub\wwwroot\proteccion\"


'response.redirect "lector2.asp?testcn=checado&testcourse="& testcourse& "/runfile.html"
%>

<body onLoad="javascript:document.SSLForm.submit();" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" rightmargin="0"> 

<form name="SSLForm" method="POST" action="lector2.asp">
    
<input type="hidden" name="testcn" value="checado">
     
<input type="hidden" name="testcourse" value="<%= testcourse %>">



</form>  

</body>

Open in new window


Second called lector2.asp:

<%
Response.Buffer= True

dim testcourse, testcn, archivo1

testcn=Request.Form("testcn")
testcourse=Request.Form("testcourse") & "/runfile.html"


if testcn<>"checado" then response.redirect "error.html"

 

url_protegido = "http://" & Request.ServerVariables("HTTP_HOST") & "/proteccion/" & testcourse







Dim xml, bData, strWmaUrl, rhead1, rhead2


Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP")
xml.Open "GET", url_protegido, False
xml.Send()

bData = xml.ResponseBody
rhead1 = xml.getResponseHeader("Content-Length")
rhead2 = xml.getResponseHeader("Accept-Ranges")
Set xml = Nothing


termina = LCASE(right(url_protegido,3))



select case termina
       case "gif"
           Response.contentType ="image/gif"
       case "jpg"
           Response.contentType ="image/jpeg"
       case "peg"
           Response.contentType ="image/jpeg"
       case "png"
           Response.contentType ="image/png"
       case "bmp"
           Response.contentType ="image/bmp"
       case "xls"
           Response.contentType ="application/x-excel"
       case "ptx"
           Response.contentType ="application/ms-powerpoint"
       case "zip"
           Response.contentType ="application/zip"
       case "php"
           Response.contentType ="application/x-httpd-php"
       case "zip"
           Response.contentType ="application/zip"

       case "pdf"
          Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".pdf"
           Response.contentType ="application/pdf"

       case "tml"
           Response.contentType ="text/html"  
       case "htm"
           Response.contentType ="text/html"  
       case "doc"
           Response.contentType ="application/msword"
       case "ocx"
           Response.contentType ="application/msword"
       case "mp3"
           Response.contentType ="audio/x-ms-wma"
           Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".mp3"
       case "wma"
           Response.contentType ="audio/x-ms-wma"
           Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".WMA"
       case else
           Response.contentType ="text/html; charset=iso-8859-1" 
End Select



Response.AddHeader "Content-Length", rhead1
Response.AddHeader "Accept-Ranges", rhead2


Response.BinaryWrite(bData)


%>

Open in new window


Then we can make many sudbirs in the same route for an example let´s create a subdir course1 in the same route of that 2 files inside that dir will be an html page with main launcher called: runfile.html
Now if you launch the first link like this and supposing we are in local no problem with the is just needed to be inside IIs:
http://127.0.0.1/proteccion/lector.asp?testcn=checado&testcourse=course1

Now if you see the http link has the same name in variable testcourse than the dir name we made what it does the program when we launch that link is go to dir we made course1 and run the file runfile.html all ok is working perfect but I want to block the access from this link for an example:

http://127.0.0.1/proteccion/course1/runfile.html

In this last link if the user use that link can does the same than the first link enter to course1 and see the file runfile.html I want to block access if the user enter like second link only to see the course1 and the file runfile.html must be called from first in other words:

http://127.0.0.1/proteccion/lector.asp?testcn=checado&testcourse=course1

This link is the only way to enter to see that how can I do that to protect the script you are looking in the 2 files?

I don´t know if we can make via Iis or maybe an script I hope someone can help because the script is very important and we need to avoid the users see content in cause launch in other ways.
Thank you
0
Comment
Question by:coerrace
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:becraig
ID: 38865879
I think I hear what you are trying to do here, so here is a suggestion:


1. you can do this via Javascript:
if (document.referrer != "") {
   var referringURL = document.referrer;
   var local = referringURL.substring(referringURL.indexOf("?"), referringURL.length);
   location.href = "http://page.com/login" + local; 
}

Open in new window


(problem here is the client needs to have JS enabled)

2. You can design your app in such a way as to have only one way to get to
http://127.0.0.1/proteccion/course1/runfile.html in each directory.
Simply have a landing page the user has to click from to get to runfile.htm and have your asp code check for http referrer -  if the referrer is the landing page then they can load the page, if it is not then redirect them to another page.
0
 

Author Comment

by:coerrace
ID: 38866254
in what part I need to put your code?
Thank you
0
 
LVL 28

Accepted Solution

by:
becraig earned 500 total points
ID: 38866276
I found an asp solution for you:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        If Request.ServerVariables("HTTP_REFERER") <> "http://www.somesite.com/page.aspx" Then
            'redirect to error page
        Else
            'allow page to process
        End If
End Sub  

Open in new window


Reposted from:
http://forums.asp.net/t/1240920.aspx
0
 

Author Closing Comment

by:coerrace
ID: 38886288
Is working thank you for the link.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This is an explanation of a simple data model to help parse a JSON feed
This is about my first experience with programming Arduino.
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now