Post by jmanko » Sun Nov 24, 2013 3:10 pm

Is there any way to protect downloads from download unless a valid purchase has been made (ie, a specially formatted URL that both verifies the download and provides a page to actually download the file)? Right now I can download a file if I know the name. What kind of joke is that? If not, then why would OpenCart include such a poorly implemented feature in their software?
Last edited by jmanko on Mon Dec 09, 2013 1:38 am, edited 1 time in total.

Newbie

Posts

Joined
Sun Nov 24, 2013 3:02 pm

Post by butte » Mon Nov 25, 2013 2:29 am

You upload downloadable files THROUGH OC NOT VIA FTP into /download/ precisely because OC "hashes" the filespecs in order to prevent unauthorized downloading and to require that prepaid customers log in before downloading what they paid for. That is not a joke. If you were to upload pre-hashed files, then only you would have the foggiest idea what the filespecs are, but that would still not be a joke. The feature is not poorly implemented. It already provides for, and provides, "a specially formatted URL" by way of the hash "that both verifies the download and provides a page" consisting of the account itself for authorized downloading only by prepaid customers who are logged into their accounts.

Hackers are a risk but they will normally not be interested in your downloads. When they use /download/ they generally seek to inject code for mime attack. If you see ANY files named *jpg* or route?* or *.php.* get rid of those and ensure that your permissions are still 755 directories and 644 files. Be certain that your zero-byte (or a 44-byte) /download/index.html is in place, and that .htaccess in the root prohibits viewing directory content, so that the most they would be able to shop for is index.html and see preferably only white.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by MarketInSG » Mon Nov 25, 2013 8:13 am

jmanko wrote:Is there any way to protect downloads from download unless a valid purchase has been made (ie, a specially formatted URL that both verifies the download and provides a page to actually download the file)? Right now I can download a file if I know the name. What kind of joke is that? If not, then why would OpenCart include such a poorly implemented feature in their software?
can someone so easily guess the uploaded file's name. Also, change your download directory and they won't find it too


User avatar
Guru Member

Posts

Joined
Wed Nov 16, 2011 11:53 am
Location - Singapore

Post by jmanko » Mon Dec 09, 2013 1:37 am

MarketInSG wrote: can someone so easily guess the uploaded file's name. Also, change your download directory and they won't find it too
I resolved this. Problem was a combination of .htaccess not there and misconfiguration on my part. Thanks for the input.

Newbie

Posts

Joined
Sun Nov 24, 2013 3:02 pm

Post by jmanko » Mon Dec 09, 2013 1:40 am

butte wrote: Be certain that your zero-byte (or a 44-byte) /download/index.html is in place, and that .htaccess in the root prohibits viewing directory content, so that the most they would be able to shop for is index.html and see preferably only white.
You were spot on with this suggestion, butte. Thank you. For some reason my .htaccess was renamed to htaccess.txt.

Newbie

Posts

Joined
Sun Nov 24, 2013 3:02 pm
Who is online

Users browsing this forum: No registered users and 24 guests