Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASP IIs directory protect

Posted on 2013-01-22
4
Medium Priority
?
435 Views
Last Modified: 2013-02-13
I have these 2 files firs called lector.asp:

<style type="text/css">
<!--
.Estilo1 {font-family: Arial, Helvetica, sans-serif}
-->
</style>
<span class="Estilo1">Selectcourse:</span><br />
<%
Response.Buffer= True

dim testcourse, testcn, archivo1

testcn=Request.QueryString("testcn")
testcourse=Request.QueryString("testcourse")


if testcn<>"checado" then response.redirect "error.html"


directorio_protegido= "C:\inetpub\wwwroot\proteccion\"


'response.redirect "lector2.asp?testcn=checado&testcourse="& testcourse& "/runfile.html"
%>

<body onLoad="javascript:document.SSLForm.submit();" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" rightmargin="0"> 

<form name="SSLForm" method="POST" action="lector2.asp">
    
<input type="hidden" name="testcn" value="checado">
     
<input type="hidden" name="testcourse" value="<%= testcourse %>">



</form>  

</body>

Open in new window


Second called lector2.asp:

<%
Response.Buffer= True

dim testcourse, testcn, archivo1

testcn=Request.Form("testcn")
testcourse=Request.Form("testcourse") & "/runfile.html"


if testcn<>"checado" then response.redirect "error.html"

 

url_protegido = "http://" & Request.ServerVariables("HTTP_HOST") & "/proteccion/" & testcourse







Dim xml, bData, strWmaUrl, rhead1, rhead2


Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP")
xml.Open "GET", url_protegido, False
xml.Send()

bData = xml.ResponseBody
rhead1 = xml.getResponseHeader("Content-Length")
rhead2 = xml.getResponseHeader("Accept-Ranges")
Set xml = Nothing


termina = LCASE(right(url_protegido,3))



select case termina
       case "gif"
           Response.contentType ="image/gif"
       case "jpg"
           Response.contentType ="image/jpeg"
       case "peg"
           Response.contentType ="image/jpeg"
       case "png"
           Response.contentType ="image/png"
       case "bmp"
           Response.contentType ="image/bmp"
       case "xls"
           Response.contentType ="application/x-excel"
       case "ptx"
           Response.contentType ="application/ms-powerpoint"
       case "zip"
           Response.contentType ="application/zip"
       case "php"
           Response.contentType ="application/x-httpd-php"
       case "zip"
           Response.contentType ="application/zip"

       case "pdf"
          Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".pdf"
           Response.contentType ="application/pdf"

       case "tml"
           Response.contentType ="text/html"  
       case "htm"
           Response.contentType ="text/html"  
       case "doc"
           Response.contentType ="application/msword"
       case "ocx"
           Response.contentType ="application/msword"
       case "mp3"
           Response.contentType ="audio/x-ms-wma"
           Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".mp3"
       case "wma"
           Response.contentType ="audio/x-ms-wma"
           Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".WMA"
       case else
           Response.contentType ="text/html; charset=iso-8859-1" 
End Select



Response.AddHeader "Content-Length", rhead1
Response.AddHeader "Accept-Ranges", rhead2


Response.BinaryWrite(bData)


%>

Open in new window


Then we can make many sudbirs in the same route for an example let´s create a subdir course1 in the same route of that 2 files inside that dir will be an html page with main launcher called: runfile.html
Now if you launch the first link like this and supposing we are in local no problem with the is just needed to be inside IIs:
http://127.0.0.1/proteccion/lector.asp?testcn=checado&testcourse=course1

Now if you see the http link has the same name in variable testcourse than the dir name we made what it does the program when we launch that link is go to dir we made course1 and run the file runfile.html all ok is working perfect but I want to block the access from this link for an example:

http://127.0.0.1/proteccion/course1/runfile.html

In this last link if the user use that link can does the same than the first link enter to course1 and see the file runfile.html I want to block access if the user enter like second link only to see the course1 and the file runfile.html must be called from first in other words:

http://127.0.0.1/proteccion/lector.asp?testcn=checado&testcourse=course1

This link is the only way to enter to see that how can I do that to protect the script you are looking in the 2 files?

I don´t know if we can make via Iis or maybe an script I hope someone can help because the script is very important and we need to avoid the users see content in cause launch in other ways.
Thank you
0
Comment
Question by:coerrace
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 38865879
I think I hear what you are trying to do here, so here is a suggestion:


1. you can do this via Javascript:
if (document.referrer != "") {
   var referringURL = document.referrer;
   var local = referringURL.substring(referringURL.indexOf("?"), referringURL.length);
   location.href = "http://page.com/login" + local; 
}

Open in new window


(problem here is the client needs to have JS enabled)

2. You can design your app in such a way as to have only one way to get to
http://127.0.0.1/proteccion/course1/runfile.html in each directory.
Simply have a landing page the user has to click from to get to runfile.htm and have your asp code check for http referrer -  if the referrer is the landing page then they can load the page, if it is not then redirect them to another page.
0
 

Author Comment

by:coerrace
ID: 38866254
in what part I need to put your code?
Thank you
0
 
LVL 29

Accepted Solution

by:
becraig earned 2000 total points
ID: 38866276
I found an asp solution for you:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        If Request.ServerVariables("HTTP_REFERER") <> "http://www.somesite.com/page.aspx" Then
            'redirect to error page
        Else
            'allow page to process
        End If
End Sub  

Open in new window


Reposted from:
http://forums.asp.net/t/1240920.aspx
0
 

Author Closing Comment

by:coerrace
ID: 38886288
Is working thank you for the link.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re thinking to yourself “That description sounds a lot like two people doing the work that one could accomplish,” you’re not alone.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question