Source language: Translate to:

FTP Plugin Questions

Questions about our File Management and Internet FTP plug-in

FTP Plugin Questions

Postby Pat Baner » Mon May 16, 2011 6:59 pm

Hoping folks here can provide me some clarification and ideas.

My application needs the capability to upload files directly to my server with the push of a button. Now, this data contains sensitive personal information. I looked at using a webform with a file upload and a ssl certificate. Problem is the html makes all file upload fields read only so I can't paste the computer address to the field. I don't want the user to have to select the file as I am going for a "professional" option.

I know I can do this with the FTP plugin but here is my issues and questions:

Is there ANY WAY a hacker could capture the user name and password that my application uses to create the connection?

Can the FTP plugin work if the folder permissions are "write only"?

Any one that has an idea, I would greatly appreciate it.

Thanks In Advance
Pat Baner
 
Posts: 75
Joined: Tue Jan 04, 2011 9:21 am

Postby luishp » Tue May 17, 2011 1:01 am

I have two ideas that perhaps could be usefull for you:

1) Extract the information from the file to autocomplete a hidden webform and recreate the file on the server with that information.

2) Upload the file(s) using FTP and then autoexecute a server script to copy the file to a not reachable folder.

Hope it helps.
User avatar
luishp
 
Posts: 359
Joined: Wed May 23, 2007 10:17 am
Location: Spain

Re: FTP Plugin Questions

Postby dpayer » Tue May 17, 2011 5:20 am

Travin69 wrote:Hoping folks here can provide me some clarification and ideas.

Is there ANY WAY a hacker could capture the user name and password that my application uses to create the connection?

Can the FTP plugin work if the folder permissions are "write only"?

Any one that has an idea, I would greatly appreciate it.

Thanks In Advance


The exchange of username/pw to a standard FTP server is done through clear text, not encrypted. If someone is "sniffing" your network, they could determine that information. If that information goes through a proxy, the operator of the proxy could watch that information. If the client program uses a wireless connection, that has no encryption or WEP encryption, it can be read.

I am not sure if the plugin offers secure FTP but you may want to look into using that as the transport for sensitive info.

David P
User avatar
dpayer
 
Posts: 1382
Joined: Mon Apr 11, 2005 5:55 am
Location: Iowa - USA

Postby Neosoft Support » Tue May 17, 2011 10:06 am

NeoBookFM/FTP does not currently support secure FTP.
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5602
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Postby Pat Baner » Wed May 18, 2011 12:21 pm

Support, what would it take to make the plugin support secure FTP?

I thought about doing a webform that has a SSL certificate on it. I was able to do everything except paste the fiel address into the field. File upload fields are read only and require the user to interact with the file selection box. Is there a way to automate that so the user doesn't have to intereact with a file selection box?

Thanks.
Pat Baner
 
Posts: 75
Joined: Tue Jan 04, 2011 9:21 am

Postby Neosoft Support » Wed May 18, 2011 1:55 pm

Support, what would it take to make the plugin support secure FTP?


Unfortunately, it's extremely complicated. We may consider it for a future update, but it's not in our current plans. Secure FTP also requires a secure server to receive the files.
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5602
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Postby Gaev » Wed May 18, 2011 3:09 pm

Travin69:
File upload fields are read only and require the user to interact with the file selection box. Is there a way to automate that so the user doesn't have to intereact with a file selection box?

There is a very good reason for that ... imagine you surf to a web page on a malicious :twisted: website ... and it is able to upload any file from your local disk ... without any action on your part ... :shock: :cry:
User avatar
Gaev
 
Posts: 3728
Joined: Fri Apr 01, 2005 7:48 am
Location: Toronto, Canada

Postby Pat Baner » Wed May 18, 2011 5:20 pm

I am not disputing the utility of the function, I am trying to find a way to bypass it for the express, and legal, uses with my program, thats all. I was hoping there was a way do it but if not, oh well.
Pat Baner
 
Posts: 75
Joined: Tue Jan 04, 2011 9:21 am

Postby Gaev » Thu May 19, 2011 4:44 am

Travin69:
I am trying to find a way to bypass it for the express, and legal, uses with my program, thats all.

Didn't mean to imply you were doing something illegal ... just that the Browser can not differentiate intent of the webpage owner.

Having said that, there ought to be a way for file uploads to be specified via script when the Browser Control is called from a program other than the Browser ... since the user is already trusting the program owner sufficiently to run his/her program on their computer.

But unless Dave can find some kind of api that is available to him (and for which he can provide a native NeoBook command e.g. UploadFile), I guess MS does not make this differentiation.
User avatar
Gaev
 
Posts: 3728
Joined: Fri Apr 01, 2005 7:48 am
Location: Toronto, Canada

Postby Neosoft Support » Thu May 19, 2011 10:30 am

What kind of file are you trying to upload and how large is it?
NeoSoft Support
Neosoft Support
NeoSoft Team
 
Posts: 5602
Joined: Thu Mar 31, 2005 10:48 pm
Location: Oregon, USA

Postby Pat Baner » Sat May 21, 2011 4:14 pm

It is a copy of the database the program uses. My program allows the user to input data. I need a copy of that data so I wanted a way to allow them to upload it automatically to my server vice requiring them to login to my website and upload via a form.

As for the size, not sure as I could vary between clients. I wouldn't venture to say more than 50mb though.
Pat Baner
 
Posts: 75
Joined: Tue Jan 04, 2011 9:21 am

Postby dpayer » Sun May 22, 2011 9:52 am

Travin69 wrote:It is a copy of the database the program uses. My program allows the user to input data. I need a copy of that data so I wanted a way to allow them to upload it automatically to my server vice requiring them to login to my website and upload via a form.

As for the size, not sure as I could vary between clients. I wouldn't venture to say more than 50mb though.


Why don't you encrypt the database and then push the file up via form? Then even if someone got it, they couldn't do anything with it without the decrypt key.

You will need to be sure your form processor (a php file for example) can handle such a large file. The PHP config/info file will tell you the limits of your system to upload.

Here is a page with a few ideas on encryption:

http://www.thefreecountry.com/security/encryption.shtml

David P.
User avatar
dpayer
 
Posts: 1382
Joined: Mon Apr 11, 2005 5:55 am
Location: Iowa - USA


Return to NeoBookFM/FTP

Who is online

Users browsing this forum: No registered users and 0 guests

cron