Secure Web Download Token System

[Armin]

What's up dudes?

I'm looking to set up a secure download token system on our website by tonight for distributing a DVD download. Basically, tonight we will send to all the pre-orders, a download token embedded in a hyperlink that will only allow to download the DVD once. If they need to download it again, then they press a button that generates and emails them a new download token. The goal is to try and minimize sharing of this content until the physical release date in March.

Does anyone know much about this subject, ie do they have packages for this, or will I need to program it from scratch, and if so, which language is most ideal for me to program this in, and (@iago) what steps would I have to take to prevent vulnerabilities?

[rabbit]

Hash the (time . email) and use that as a token, then store it along with what email it was sent to.  When they download, mark it used.

[Armin]

so I imagine I would store it in an SQL database, using PHP to execute the "if"s and "write"s? and if I were to store this data in its own SQL database, I imagine there wouldn't be anything important they could exploit?

[Armin]

sweet... A little over 8 hours later without leaving the room, I've successfully accomplished my first project in PHP/MySQL.

Thanks for the direction, rabbit.

Though I'm still curious about how I should go about preventing anyone from taking advantage of SQL vulnerabilities and gathering the email addresses (most important), and also maliciously changing any table data. Any suggestions would be greatly appreciated.

[Sidoh]

The easiest thing you can do is probably to use something like MDB2 as a database wrapper and use prepared statements to prevent SQL injection.

Do that and you'll probably be fairly well off.

[iago]

If you post the code somewhere - or send it to me - I can probably give you some advice.

I'd suggest that instead of storing the email address in the database, you store a hash of the email address - md5($address). When the user does the request, take the md5() of the address they submit and compare it to the md5 stored in the database to see if it matches. That way, you never have to store their actual email address.

[Sidoh]

If you post the code somewhere - or send it to me - I can probably give you some advice.

I'd suggest that instead of storing the email address in the database, you store a hash of the email address - md5($address). When the user does the request, take the md5() of the address they submit and compare it to the md5 stored in the database to see if it matches. That way, you never have to store their actual email address.

But then hackers don't have anything juicy to get to when they infiltrate your mainframez.

[dark_drake]

But then hackers don't have anything juicy to get to when they infiltrate your mainframez.

Aha! So that was your plan all along. Never trust a Hawaiian!

[Armin]

The easiest thing you can do is probably to use something like MDB2 as a database wrapper and use prepared statements to prevent SQL injection.

Do that and you'll probably be fairly well off.

Thank you sir! I will look into this probably tomorrow.

If you post the code somewhere - or send it to me - I can probably give you some advice.

I'd suggest that instead of storing the email address in the database, you store a hash of the email address - md5($address). When the user does the request, take the md5() of the address they submit and compare it to the md5 stored in the database to see if it matches. That way, you never have to store their actual email address.

Great advice. I already launched the distribution at midnight last night, so I'll have to migrate the email data.

In the meantime, here is the code I used only once to initially add the users into the database (I deleted the script from the server after running it):

Code: [Select]

<?php
$con = mysql_connect("server_removed","user_removed","password_removed"); //Establishes SQL connection
if (!$con) {
    die('Could not connect: ' . mysql_error());                           //Ends script in case of connection error
}
$inpEmail = "emails@are.listed here@with.spaces seperating@each.email";   //List of Email Input
$arrEmail=(explode(" ",$inpEmail));                                       //Explodes Email Input into an array
mysql_select_db("database_removed", $con);                                //selects the database
foreach ($arrEmail as $email) {                                           //For each email in the array do:
    $gToken=hash('md5', $email . time());                                 //Creates token as md5 hash of email . time
    $sql="INSERT INTO TableRemoved (Email, Token, Used)
    VALUES ('$email','$gToken','0')";                                     //Inserts 3 values into the SQL Table: Email, Token, number of uses
    if (!mysql_query($sql,$con)) {
        die('Error: ' . mysql_error());                                   //Ends script in case of connection error
    }
    $DownloadURL="http://www.link.com/removed?email=". $email ."&token=" . $gToken; //Generates download URL
    $subject="blah blah blah";
    $message="blah blah blah" . $DownloadURL . ;                                                        
    $header="From:VAYDEN <contact@vaydenmusic.com>";
    mail($email,$subject,$message,$header);                               //Sends URL to email address
    echo "1 record added.<br />";                                         //Success!
}
mysql_close($con);                                                        //Closes SQL connection
?>
and here is the code I use for when the user tries to download the file:

Code: [Select]

<?php
$n=0;                                                                   //Defines "email found" counter
$email=$_GET["email"];                                                  //GETs email from URL
$token=$_GET["token"];                                                  //GETS token from URL

$con = mysql_connect("removed","removed","removed");                    //Establishes connection with SQL server
if (!$con) {
    die('Could not connect: ' . mysql_error());                         //Ends script in case of connection error
}
mysql_select_db("removed", $con);                                       //Selects appropriate databse
$result = mysql_query("SELECT * FROM removed
WHERE Email='$email'");                                                 //Creates array for the email + all associated data
while($row = mysql_fetch_array($result)) {
    ++$n;                                                               //Increments "email found" counter -- I use this because there is no 'while {} else {}'
    if ($row['Token']!=$token) {                                        //If the token does not match, do:
        $gToken=hash('md5', $email . time());                           //Generates new Token
        mysql_query("UPDATE removed SET Token = '$gToken', Used = '0'
        WHERE Email = '$email'");                                       //Adds new token to database, resets uses to '0'
        $DownloadURL = "removed". $email ."&token=" . $gToken;          //Generates new download URL
        $subject="blah blah blah";
        $message = $DownloadURL . "blah blah blah";
        $header="From:VAYDEN <contact@vaydenmusic.com>"
        mail($email,$subject,$message,$header);                         //Sends new download URL to email address
        die('blah blah blah');                                          //Ends script with "token expired" error message
    }
    elseif ($row['Used']>='3') {                                        //If the token has been used 3 or more times, do:
        $gToken=hash('md5', $email . time());                           //Generates new Token
        mysql_query("UPDATE removed SET Token = '$gToken', Used = '0'
        WHERE Email = '$email'");                                       //Adds new token to database, resets uses to '0'
        $DownloadURL = "removed". $email ."&token=" . $gToken;          //Generates new download URL
        $subject="blah blah blah";
        $message = $DownloadURL . "blah blah blah";
        $header="From:VAYDEN <contact@vaydenmusic.com>"
        mail($email,$subject,$message,$header);                         //Sends new download URL to email address
        die('blah blah blah');                                          //Ends script with "token expired" error message
    }
    elseif ($row['Token']==$token && $row['Used']!='3') {               //If token matches and has not been used more than 3 times, do:
        $incToken=$row['Used'];
        ++$incToken;                                                    //Increments token used variable
        mysql_query("UPDATE removed SET Used = '$incToken'
        WHERE Email = '$email'");                                       //Updates database with number of token uses
        if ($fd = fopen ($fullPath, "r")) {                             //Runs this following download script:
            $path = $_SERVER['DOCUMENT_ROOT']."/hidden/";
            $fullPath = $path.$_GET['download_file'];
            $fsize = filesize($fullPath);
            $path_parts = pathinfo($fullPath);
            $ext = strtolower($path_parts["extension"]);
            switch ($ext) {
                case "pdf":
                header("Content-type: application/pdf");
                header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\"");
                break;
                case "mp4":
                header("Content-type: video/mp4");
                header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\"");
                break;
                default;
                header("Content-type: application/octet-stream");
                header("Content-Disposition: attachment; filename=\"".$path_parts["basename"]."\"");
            }
            header("Content-length: $fsize");
            header("Cache-control: private");
            while(!feof($fd)) {
                $buffer = fread($fd, 2048);
                echo $buffer;
            }
        }
        fclose ($fd);
        exit;
    }
}
if ($n==0) {                                                            //This is my "while {} else {}" solution for if the email is not found
    die "blah blah blah";                                               //Ends script with "email not found" error message
}
?>
I plan to clean this up by having the emails be sent from a separate PHP script, among other things. Also, forgive me for being new to programming.

[rabbit]

http://en.wikipedia.org/wiki/Indent_style#K.26R_style pls

[Armin]

Sorry, is that better? Also, that article doesn't say anything about empty new lines, even though some examples included them. Is there a time and place for them?

[Sidoh]

http://en.wikipedia.org/wiki/Indent_style#K.26R_style pls

I've stopped caring about this kind of stuff. I used to be a total K&R nazi, but I've since worked for enough companies using alternative standards that I've grown accustomed to using whatever style people are comfortable with.

It's not like you can't just paste it into an IDE and press some keys to get it to look exactly how you want it to.

[Blaze]

Vulnerbilties:

You do not sanitize 'email' on your download page which leads to a SQL injection (http://ca2.php.net/manual/en/function.mysql-real-escape-string.php)

You do not sanitize your "$_GET['download_file']" request on the download page which leads to full web-server-user access to the filesystem.  A crafty attacker could make their file '../../../../../../../../../etc/passwd' and access any file that your web server has access to.  There are several ways to correct this, you could do a regex filter for just "A-Za-z0-9\." which would only allow alpha-num and periods, or you can filter out slashes.  There are several other methods, but I prefer the regex.


Errors:

You set "$fullPath" after you have used it first (logical error)

Your switch at the end uses a semicolon instead of a colon for "default"

You are missing a semicolon in your $header assignments. (I assume this is because you just edited these in quickly at the end)

Die is a function, not a language construct: you must surround paramaters with parenthesis. (The last die in your script should be die("blah blah blah"); instead of die "blah blah blah";)


Suggestions:

You do not sanitize your URLs (http://ca3.php.net/manual/en/function.urlencode.php)

Convert all user-enterable values as a single case when hashing.  ie, $gToken = hash('md5', $email . time()); would be $gToken = hash('md5', strtolower($email) . time());

Do not store your downloadable content in a 'hidden' web-accessible folder.  If possible, keep the content is a folder below your web accessible folder (ie, if your content was in /var/www/htdocs/, keep your downloadable content in /var/www/downloads/)

Change your 'Used Increment' statement to use the DB value rather than a fetched value.  This prevents users from accessing the page all at once quickly and the counter not incrementing properly. (Allows for more than 3 possible downloads).  The query would be "UPDATE removed SET Token = Token + 1, Used = '0' WHERE Email = '" . mysql_real_escape_string($email, $con) . "'"

Avoid printing mysql_errors in non-dev environments, and just leave the 'could not connect' message.

While not wrong, I suggest you include your link identifier ($con) in your query and sanitation function calls.  It's a good habit to be specific when you can.  :)


And that's just a quick scan.  It is really easy to make vulnerable code in PHP as you can tell.  :)

[Armin]

hahaha shit man. I really opened up a Pandora's box with this ambitious idea. I spent equally as much time today failing to figure out why Internet Explorer times out halfway through the 713MB download (something to do with the download script, or server-side PHP settings [I wish my host would install mod_xsendfile]), as I did figuring out how to write this token script.

Due to this issue, and that of the scope of the vulnerabilities, I temporarily bypassed this system altogether with a direct link to the download. I will re-implement these features after I fix these issues.

When I first started this project on Monday, I took a small 5mg dose of Vyvanse to help me focus on this logical task. Later that night, shortly after I made the post about 'accomplishing' the project, loud sirens were coming from up and down my neighborhood streets, and some dude evading arrest walked into my apartment, out of my line of sight, and took refuge in my out-of-town roommate's bedroom.

My Vyvanse-strung-out, 3AM logic kicked in, and I asked if anyone was there. "And if anyone is there, it's okay. I'm going to my room," where I subsequently fell asleep. Albeit, a very skiddish sleep, but sleep nonetheless. [spoiler]of course, because of the day's tedious events + Vyvanse intake + lack of sleep, the entire experience was actually a paranoid hallucination.[/spoiler]

In other words, I need to play music for the next couple of days, or I may fall off into the deep end.

Many endless thanks for the suggestions, Blaze. I look forward to finishing this up over the next week so I can use it, along the knowledge I gained from this experience, on future releases/projects.

[iago]

Blaze pointed out the things I noticed, plus a whooooole bunch more.

This is why PHP is dangerous, it's just too darn easy.