asp.net.netsecurityserverfile-security

Stop files access through domain name

Through domain name my files are accessible, I have the similar URL (below given) which makes my files accessible.

URL:

https://www.DomainName/ParentFolder/SubFolder/File.doc

I have checked the permission on ParentFolder,SubFolders, only few person have the access to those folders but i have concerned why those files are accessible to other peoples as well. Please Advise.

Furthermore i am using ASP.NET (web-forms) application, so is there any configuration required in the web.config file to remove that vulnerable because this url does not hit any page in my source code. Thanks.

Solution

  • If you don't want the file to be publicly accessible, don't put it in a public location.

    only few person have the access to those folders

    Is the web server something that has access to it? If so, then anybody on the internet has access to it. Because they all access it through the web server.

    Furthermore i am using ASP.NET (web-forms) application, so is there any configuration required in the web.config file to remove that vulnerable because this url does not hit any page in my source code.

    Well, yes and no. If you want your ASP.NET application to control access to the file, then you want to remove the file from its public location and put it somewhere that the application can access it but the public cannot. Then you can use the application to control access to it.

    Remove the file from its public location and put it somewhere outside of the web server's directory structure. Just some other location on the server. Then create an HTTP Handler (.ashx) or even a page if you want (.aspx), though a handler is generally preferred for this as a page would involve unnecessary overhead, and use that handler/page to serve the file through code.

    The code itself could be as simple as:

    context.Response.Clear();
context.Response.ContentType = "application/pdf";
context.Response.AddHeader("Content-Disposition", "attachment; filename=File.doc");
context.Response.TransmitFile("C:\Some\Path\To\File.doc");
context.Response.End();

    You could have a single handler return any file that's specified with, say, a query string parameter. Though be careful to validate the request for the file so users can't just download any file from your entire file system. But of course, validating the request is exactly what you're asking about anyway.

    This way you can use the authentication/authorization mechanisms in your web application to validate the user and the request before returning the file. Essentially the ASP.NET application becomes a kind of barrier between the user and the file.