Problem with mod_secdownload
Added by Marian over 16 years ago
I have installed the newest version of lighttpd on a Debian System.
I just want to use the mod_secdownload feature, but if I want to download a file I only get an 403 - Forbidden Error.
The link is getting generated and looks allright http://XX.XX.XXX.XXX/dl/912ed651366a4ac1bfcda5de3bc2cbfc/491ac813/Galileo_08.11.11_19-10_pro7_65_TVOON_DE.mpg.avi.otrkey.
Where can I search for a mistake I made?
Replies (5)
RE: Problem with mod_secdownload - Added by Marian over 16 years ago
Error-Message in der Log says
2008-11-12 12:45:09: (mod_secure_download.c.273) md5 invalid: f91783ee66adb66d3bb498da49138fd6/491ac1c2/C_S_I__Miami_08.11.11_20-15_rtl_60_TVOON_DE.mpg.avi.otrkey db0347970e934e9b0033521003d43d58
RE: Problem with mod_secdownload - Added by icy over 16 years ago
Please read http://redmine.lighttpd.net/boards/2/topics/show/5 first.
Provide the config and the code you use to generate the link.
Invalid md5 suggests that the link you generate is bogus.
RE: Problem with mod_secdownload - Added by Marian over 16 years ago
Thanks for your answer!
Operating System: Debian 4.0
Version of Lighttpd 1.4.20
Firefox 3.0.3
This PHP-Script generates the link:
$secret = "secretword";$uri_prefix = "/dl/";
- filename
- please note file name starts with "/"
$f = $_REQUEST['f']; - current timestamp
$t = time();
$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex); - generate link
printf('<a href="%s%s/%s%s">%s</a>',
$uri_prefix, $m, $t_hex, "/".$f, $f);
This code I use in the config file:
secdownload.secret = "secretword"
secdownload.document-root = "/home/pathtodownload/"
secdownload.uri-prefix = "/dl/"
secdownload.timeout = 86400RE: Problem with mod_secdownload - Added by Marian over 16 years ago
I just found the problem myself. "/" wasn't correct in the link.
RE: Problem with mod_secdownload - Added by icy over 16 years ago
What is the content of $f?- You got a xss vulnerability there because you do not escape $f when printing out the html code