eZ Community » Forums » General » Download Security Issue
expandshrink

Download Security Issue

Download Security Issue

Monday 01 October 2012 4:06:32 pm - 2 replies

Hi All --

I have a public site www.mydomain.com and 2 additional sites setup as:

site1.mydomain.com

site2.mydomain.com

The main site is public and the other 2 require authentication. I have noticed that if I have the full direct download link (/content/download/etc..) from a file on site1 or site2 that I can access it from the www.mydomain.com WITHOUT logging in.

For instance:

http://site1.mydomain.com/content/download/otherinfo/test.pdf

this can be accessed going to:

http://www.mydomain.com/content/download/otherinfo/test.pdf

Any help would be much appreciated.

Thanks!

Monday 01 October 2012 5:49:14 pm

Hi Chris!

What kind of authentication is used for other 2 sites? Standard eZ Publish auth mechanism, htpasswd or something else?

Did you specify correct permissions for subtrees which are not supposed to be read by public? This involves adding the subtree that requires authentication to a section other than standard, and making sure that authenticated users can read the new section.

Tuesday 02 October 2012 9:01:57 am

Hi Chris,

you have one ezinstallation with one db and different subsites on this db.

Ok.

site1 has content in subtree site1 and is access by sitaccess1

site2 has content in subtree site2 is access by sitaccess2

you don't want that content from site2 can be accesses by site1 if you know the system url.

You have to define for each site an anoymous user and assign the role only to the affected subtree.

For site1 you define anonymous user1 with role anonyous assigned by subtree site1. The anonymous user1 id you have to set in site.ini.append.php of sitaccess1. The same for site2 ...

[UserSettings]
# The ID of the anonymous user, this user will
# be used for everyone who is not logged in.
AnonymousUserID=10

Than you can only access node in the affected subtree.

You can test the userrights with the search, too. If you search in the frontend over the whole eztree and will get nodes from trees you should not get - than you have to check your userroles.

Hopefully this will help you with your problem.

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from