PDA

View Full Version : Security Issue - PHP/Ajax/xml/javascript



Strangeplant
09-01-2006, 02:21 PM
Hi guys,

I'm using the Ajax Dynamic Content script found at http://www.dynamicdrive.com/dynamicindex17/ajaxcontent.htm to serve up a load of .jpg images via an index.php page. However, the images can be accessed by a direct link. The backdoor is open.

I found a discussion of .htaccess in the Lounge area (http://www.dynamicdrive.com/forums/archive/index.php/t-8592.html) but it is not directly relevant. I'm hoping that this post is at least marginally in the right forum.

The files must be served by Apache, and it needs permission, but needed permissions are not clear to me since xml is involved and the request is initiated by the browser code. There is no discussion of this in the Ajax scripts at DD. So, thinking about this, I have a few options, (1) use some form of chmod (but what?), (2) use Redirect in a .htaccess file, (3) use the Rewrite Engine (which is not enabled and the server admin is already freaking out with what I'm doing).... So, I've chosen (2) because it is new territory for me.

I've created a .htaccess file with the content:
Redirect /TestData/*.jpg http://earth.engr.ccny.cuny.edu/noaa/wc/TestData/And changed the config file to include
<Directory "/webmail/apache/htdocs/noaa/wc/TestData">
AllowOverride AuthConfig
AllowOverride All
</Directory>Things are not working because the images can still be accessed by direct link so I'm assumming that something is missing from the Directory code, but what?