Connaxis Creative Outsourcing - Stay Competitive - Outsource Web Design to Argentina

Home » Blog
Blog
lang_btn lang_btn

Popular Post

Blog Syndications

Portfolio
Projects Connaxis

Using SWFUpload with HTTP Auth

Added by:11 July 2009 19:40

Sadly the SWFUpload (swfupload.org) does not work with HTTP Authentication. A solution would be to disable HTTP Authentication for the upload_url, e.g. by excluding it with the <Location> directive in Apache: 

<Location />
Require valid-user
</Location> 

<Location /swfupload>
Satisfy Any
</Location>

The above example does not work, but a little trick does work (excluding the upload url by limiting the HTTP authentication to all HTTP methods but POST): 

<Directory /var/www/mysite>
# do not use HTTP auth for POST to allow SWFUpload!
<LimitExcept POST>
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /var/www/mysite/htpasswd
AuthGroupFile /dev/null
require valid-user
</LimitExcept>
</Directory>
 

 I hope this helps users who want to use SWFUpload for example in an admin backend protected by HTTP Authentication! 

 

 

more3 Comments
 Add Comment
 
JamieL
Posts: 2
Comment
Re:
Reply #3 on : Wed January 13, 2010, 18:19:42
Mine is also just for a staging server so this solution worked great. Good work!!
enrique.jacobs
Posts: 1
Comment
Yes, it does compromise security
Reply #2 on : Sun July 19, 2009, 19:57:03
Yes, my suggestion does compromise the security as the site is not protected for POST requests (and an attacker could use POST to get access to any URL on the site).
Your .htaccess trick sadly only works if the script is accessed without mod_rewrite (i.e. you access upload.php by /upload.php). Excluding a rewritten location is not possible (as far as I know and as far as tested).
In my case I don't use the password protection for an admin backend but for a simple protection of a staging server (site which is not public yet).
Obliterator
Posts: 2
Comment
Re:
Reply #1 on : Mon July 13, 2009, 01:10:22
Does this not compromise the security of the admin area a little? What happens if a user queries the normal admin pages but with fake POST request on the query? I'm new to htaccess restrictions but I think it might permit people to view the admin page wihtout authorisation?

Granted its unlikely someone would know to do that but if everyone using SWF Upload uses this method it would soon become common knowledge.

I chose to grant an exclusion for the upload.php file from my htaccess rather than all POST requests. This solved the problem for me whilst keeping all the other files protected. Only my upload script is potentially exposed to the world. I then made sure the upload script places any uploaded files in a folder beyond the www root for additional safety.

Forgive me if I'm mistaken, like I say I'm new to htaccess files.

Copyright © 2009 Connaxis Creative Outsource Web Design Argentina ® | All rights reserved

Guerra Creativa - Creative Crowdsourcing