bit-tech.net

Go Back   bit-tech.net Forums > Technology > Software

Reply
 
Thread Tools
Old 12th Feb 2005, 12:44   #1
ch424
Design Warrior
 
ch424's Avatar
 
Join Date: May 2004
Location: Cambridge, UK
Posts: 3,092
ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.
asp automatic file upload

At school, in our electronics dept we have a computer setup so that to buy a component, you type your name what you're buying, cost etc, and it takes your photo (in case some prankster types in some else's name!) and uploads it to our server, along with your details. At the moment it works like this:

1. Webcam software is constantly saving webcam image to c:\userphoto.gif overwriting it twice per second on client computer

2. User types their info into form on client computer, and clicks submit.

3. at this point, a pre-submit javascript uses the copyfile method in this tutorial to copy the image to \\server\images\<year_month_date_hours_minutes_sec onds>.gif

4. the form with the info is submitted to an asp page, which adds it to an access database, along with the filename of the image.


I am now thinking of updating this system, perhaps to asp.net from its current asp, especially as the image upload is such a hack, and we have to have most security setting turned off in IE to make it work at all! Does anybody know any other way to automatically upload images that is more secure? Upgradingto asp.net or adding more other software should be OK...

Many thanks

ch424
__________________
AMD 3780K | Gigabyte GA-A75M-UD2H | 2x4GB DDR3 | Crucial M4 128GB | 1TB Samsung F1 | Win7 64 | Yuraku YV24WBH1
ch424 is offline   Reply With Quote
Old 12th Feb 2005, 14:27   #2
alcedes
Multimodder
 
alcedes's Avatar
 
Join Date: Jan 2005
Location: Georgia, USA
Posts: 121
alcedes has yet to learn the way of the Dremel
Quote:
Originally Posted by ch424
Does anybody know any other way to automatically upload images that is more secure?

If it is automatic then it is less secure; the view is that a web application should never get access to the contents of a users harddrive unless the user gives the application access to that content.

However, since you are using .NET there are other options. Instead of just using ASP.NET look into using Windows Forms (the other part of .Net). A Windows form application typically has full access to the harddrive (unless you restrict it) and can submit input to a web server/web service. Of course this would mean that the form would have to be installed on all of the client machines.

You may also want to check on Google to see other methods of uploading files to a web server.
alcedes is offline   Reply With Quote
Old 12th Feb 2005, 15:32   #3
ch424
Design Warrior
 
ch424's Avatar
 
Join Date: May 2004
Location: Cambridge, UK
Posts: 3,092
ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.
Quote:
Originally Posted by alcedes

However, since you are using .NET there are other options. Instead of just using ASP.NET look into using Windows Forms (the other part of .Net). A Windows form application typically has full access to the harddrive (unless you restrict it) and can submit input to a web server/web service. Of course this would mean that the form would have to be installed on all of the client machines.
Thanks! I'll look into that...

ch424
__________________
AMD 3780K | Gigabyte GA-A75M-UD2H | 2x4GB DDR3 | Crucial M4 128GB | 1TB Samsung F1 | Win7 64 | Yuraku YV24WBH1
ch424 is offline   Reply With Quote
Old 14th Feb 2005, 09:49   #4
Hepath
Hypermodder
 
Join Date: Oct 2003
Location: UK, Yokel, Cheltenham
Posts: 730
Hepath has yet to learn the way of the Dremel
From the scenario you outline I am assuming that there is only one client machine? Or do all users have to have the program and a webcam?

Personally I see the security flaw not in talking to the server or uploading the images (which you can ftp programmatically) but in securing access to the folder(s) in which the photo's lie.

Personally if you're rewriting this I would see if you can control the webcam programmatically - then take a photo on submit() (or other such event) and keep it in a memorystream which can by uploaded on port80 via a binary response form (see Response.BinaryWrite) This means that no one can interfere with the photo that accompanies the order.

If that is too difficult. Secure the folder with a username and password and only allow the program access. You would need to ensure that the program runs under this account (which is different from the logged on user!)... checkout something liek ASPSET_REG utility and the Windows.Principal class.

If i missed the point sorry I just dont see the upload as a problem here.

Stu
__________________

C#.Net Certified Application Professional (MCAD)

DFI Lan Party NF4 UT SLI-D | AMD64 4000+ San Deigo (XP90-C) | OCZ PC4800 DDR Plat | Seagate 75Mb 8Mb | Seagate 300Mb 8Mb (crashed!) | PBDV1640P DVD/RW | TAGAN TG480-U22 480W | BFG 6800GT OC (Artic Cooling NV5)
Hepath is offline   Reply With Quote
Old 14th Feb 2005, 14:20   #5
ch424
Design Warrior
 
ch424's Avatar
 
Join Date: May 2004
Location: Cambridge, UK
Posts: 3,092
ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.
OK, thanks hepath! Very insightful: yes, there is only one client computer, and it's so locked down that the alt, ctrl and windows keys are disabled and internet explorer is locked in fullscreen mode!

Quote:
Originally Posted by hepath
... keep it in a memorystream which can by uploaded on port80 via a binary response form (see Response.BinaryWrite) This means that no one can interfere with the photo that accompanies the order.
Isn't this for getting images from the server to the client? Is there a good guide you could recommend anywhere?

Quote:
Originally Posted by hepath
Secure the folder with a username and password and only allow the program access. You would need to ensure that the program runs under this account (which is different from the logged on user!)...
We do this already.. but thanks for the pointer. When I said security issues in the first post, I meant that Microsoft deems the fso object that I mentioned insecure, and it therefore doesn't work under service pack 2.

many thanks

ch424
__________________
AMD 3780K | Gigabyte GA-A75M-UD2H | 2x4GB DDR3 | Crucial M4 128GB | 1TB Samsung F1 | Win7 64 | Yuraku YV24WBH1
ch424 is offline   Reply With Quote
Old 14th Feb 2005, 17:24   #6
Hepath
Hypermodder
 
Join Date: Oct 2003
Location: UK, Yokel, Cheltenham
Posts: 730
Hepath has yet to learn the way of the Dremel
Quote:
... keep it in a memorystream which can by uploaded on port80 via a binary response form (see Response.BinaryWrite) This means that no one can interfere with the photo that accompanies the order.
oh yes sorry about that - good spot!

I'll ponder some answers as I shuffle my feet in an embarrassed kind of way!
__________________

C#.Net Certified Application Professional (MCAD)

DFI Lan Party NF4 UT SLI-D | AMD64 4000+ San Deigo (XP90-C) | OCZ PC4800 DDR Plat | Seagate 75Mb 8Mb | Seagate 300Mb 8Mb (crashed!) | PBDV1640P DVD/RW | TAGAN TG480-U22 480W | BFG 6800GT OC (Artic Cooling NV5)
Hepath is offline   Reply With Quote
Old 14th Feb 2005, 17:45   #7
Hepath
Hypermodder
 
Join Date: Oct 2003
Location: UK, Yokel, Cheltenham
Posts: 730
Hepath has yet to learn the way of the Dremel
Ok just a couple of things...

1. Is the client machine and the web server connected on the same network anyway?

2. Are the pictures stored on the local machine (or a network)?

If they are network connected then you dont really have a security problem... you can write a secure application to do all your work for you. however as HTTP is being used - I'm guessing its not! So.....

You could write a .Net application to mimic the webform. This can use HTTP directly to POSTthe information. to the website. This would negate a lot of your problems.

A little bit more environmental info would be useful
__________________

C#.Net Certified Application Professional (MCAD)

DFI Lan Party NF4 UT SLI-D | AMD64 4000+ San Deigo (XP90-C) | OCZ PC4800 DDR Plat | Seagate 75Mb 8Mb | Seagate 300Mb 8Mb (crashed!) | PBDV1640P DVD/RW | TAGAN TG480-U22 480W | BFG 6800GT OC (Artic Cooling NV5)
Hepath is offline   Reply With Quote
Old 14th Feb 2005, 18:48   #8
ch424
Design Warrior
 
ch424's Avatar
 
Join Date: May 2004
Location: Cambridge, UK
Posts: 3,092
ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.
OK, thanks for all your help! Here's what's on the network:

1. server
2. accountsserver
3. accountsuser (with webcam)
4. loads of normal workstations
5. a proxy/print server
There is a domain, controlled by the server. When accountsuser boots, it automatically logs on as accuser, a profile specifically setup as really locked-down. When accuser is logged in, it starts the webcam software (third party), which saves a photo to c:\userphoto.gif (on accountsuser) twice evey second, overwriting it as it goes. Then it opens (fullscreen) the webpage (on accountserver) that contains the form. When the user submits the page, the c:\userphoto is copied over to the accountsserver, and the database on accountsserver is updated. Every night, the database (.mdb) is copied over to server, and once a week, the images are too.

There is a password-protected admin page served by accserver, which shows all the information submitted, along with the photo for each submission. This admin page allows submitted info to be checked/ amended etc.

They are all on the same network. The proxy server connects quite frequently for software updates etc.

Thanks again,

ch424
__________________
AMD 3780K | Gigabyte GA-A75M-UD2H | 2x4GB DDR3 | Crucial M4 128GB | 1TB Samsung F1 | Win7 64 | Yuraku YV24WBH1
ch424 is offline   Reply With Quote
Old 15th Feb 2005, 07:44   #9
Hepath
Hypermodder
 
Join Date: Oct 2003
Location: UK, Yokel, Cheltenham
Posts: 730
Hepath has yet to learn the way of the Dremel
Ahhhh!
Ok.. I'm gonna make some assumptions here which may not be totally correct; we can discuss after

1. You have no control over the webcam. So lets just assume its sitting there clicking away merrily...

2. As the machines are networked together and you have said that there is a domain server, I infer that you have (or someone) has some administrator priviliedges to set up security for your application suite.

3. I also got to wondering why you didn't save the images in the database with the order.... but that's not really important.

OK....

Thought 1:
Why are you using HTTP? A website (IMHO) in this situation gives you nothing over a normal application - it probably raises more security problems too. If you are rewriting I would suggest a straightforward Windows Form application. You have much greater control and security and is far less likely to be hacked around with.

Thought 2.
Assuming that you are going to rewrite then lets think about the what the webserver is doing. I'm guessing it process the form data for the order and saves it as well as being responsible for mapping the form to the locally saved image.

This goes back to my point about the image location. If we stored it in the database then there would be no requirements for copying, renaming or anything like that as the image could be sent to the access database and stored directly with the order.

You'll need to work out some metrics to se if this is feasible (ie. how big is the database going to get) and potentially create some hoisekeeping routing to be run after a successful backup to the server... but that should be done anyway!

So...

{WINDOWS}
It this application would need to:

1. Have a form capturing the same details that the current web form does.
2. Be able to read the C drive to pick up the image
3. Be able to talk directly to the database to store the order and photo together.

What are the advantages here over a web based design? Well you have the exisitng infrastructure in place to do everything you need to talk directly to the database. The web site just causes problems with the image uploading as this has to be client based (or does it.... read on!) However the main reason I like this is that the whole application is together in a single easily maintainable program. This program can implement its own security to ehance or replace that of the Operating system ensuring complete trust by its users...

{WEB}
However... you decide you want to remain web. OK.. so effectively we're looking at the upload as the problem here. You're invoking javascript that creates an AtiveX Scripting object so you can break standard web security principles to read the users hard disk and upload it to the server automatically. The only saving grace here is that effectively you are INTRAnet rather then INTERnet; well that and the fact you've only one {effective} user!

An Idea sprung into my mind because of this... why not submit the form and get the ASP SERVER PAGE to read the file from the users hard disk. In otherwords invert the procedure! The biggest problem here is the timing issue; obviously if the form submission takes more than 2 seconds to submit then there could be a problem with image synchonisation. You might get away with creating a virtual directory on the website mapped to the physical drive where the images are stored with readonly access... If you could change the image location though (rather just C root) you could put them on a protected server drive somewhere. There are security issues here - websites normally run under anonymous accounts; but this can be changes explicitly in IIS or through .NET impersonation....

Please ignore my ramblings... or just generally have aflame
__________________

C#.Net Certified Application Professional (MCAD)

DFI Lan Party NF4 UT SLI-D | AMD64 4000+ San Deigo (XP90-C) | OCZ PC4800 DDR Plat | Seagate 75Mb 8Mb | Seagate 300Mb 8Mb (crashed!) | PBDV1640P DVD/RW | TAGAN TG480-U22 480W | BFG 6800GT OC (Artic Cooling NV5)
Hepath is offline   Reply With Quote
Old 15th Feb 2005, 21:06   #10
ch424
Design Warrior
 
ch424's Avatar
 
Join Date: May 2004
Location: Cambridge, UK
Posts: 3,092
ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.ch424 is definitely a rep cheat.
Cool, thanks for that! Slightly

I guess windows forms means C#, and don't you have to pay loads for that? ($108?)

you assumptios are mostly correct: in 2. I have near admin privileges on every machine, but i am not the netadmin, and cannot (I don't think) log into the server to edit user groups etc.
In 3. the images are not saved into the database because a) I don't know how b) it's an access database, and we don't want it too big, as there's quite heavy usage.

Re: thought 1: the advantage is that it's really easy? (no compiling, just drap and drop)

Re: thought 2: i'd prefer to write a web-based thingy to an app-based thingy. How would the server copy the file accross, or store in the the database?


ch424
__________________
AMD 3780K | Gigabyte GA-A75M-UD2H | 2x4GB DDR3 | Crucial M4 128GB | 1TB Samsung F1 | Win7 64 | Yuraku YV24WBH1
ch424 is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 10:38.
Powered by: vBulletin Version 3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.