⚠️ Urgent! Active Attacks on MODX Revolution Sites Below Revolution 2.6.5
Subscribe: RSS
  • insightdesign Reply #1, 4 years ago
    Hi all,

    Can anybody point me in the right direction? I want to hide a server directory (which has sensitive PDFs) from the general public aka. the Anonymous user. Is there anyway to do that? These sensitive PDFs keep popping up in Google results.

    Things I've tried already:

    1. Media Source - I have a feeling that this might be the answer, but I can only block certain users when they're logged into MODx. Obviously the anonymous user won't be logged in...helpful hints anyone?
    2. cPanel/.htaccess - I tried adding a password to a server directory via cPanel (this creates an .htaccess and .htpass file). But I gave up because for some reason it would not work. PLUS I would prefer if our client didn't have to log-in into the server after already signing into MODx.
    3. Google Webmaster Tools - I've already asked the client to manually remove the PDFs from the Google Index. However, this is proving to be too much work.
    4. Robots.txt - I've added a robots.txt file blocking the directory but strangely enough the sensitive PDFs would still show up.

    Any ideas?

    Ta,
    Sar

    This question has been answered by multiple community members. See the first response.

    • 1) I don't know if the files can be placed outside of root - public folder, that would be SWEET.

      2) This you need to learn and not give up on... tongue
      https://www.google.com/search?q=.htpasswd+tutorial
      https://www.google.com/search?q=.htaccess+hotlinking+prevention

      3) If you look into various file download snippets they provide some security options (salted, temporary links etc)
      https://www.google.com/search?q=modx+revolution+file+download

      4) There are ways of storing files in the database. I use data:image/png;base64,... for images and would go that route + use a separate
      database.
        @hawproductions | http://mrhaw.com/

        Infograph: MODX Advanced Install in 7 steps:
        http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

        Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
        http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
      • insightdesign Reply #3, 4 years ago
        Quote from: mrhaw at Sep 23, 2014, 06:47 AM

        4) There are ways of storing files in the database. I use data:image/png;base64,... for images and would go that route + use a separate
        database.

        Hi!

        Thanks for your advice! But is there no other way to use MODx's native security to block the server files from Google search results?

        Sar
        • discuss.answer
          you can put them outside the web-root or into a directory with a .htaccess -file with 'Deny from all'
          Then you can create static resources for each file, and make that resources private, by putting them into resource-groups.
            -------------------------------

            you can buy me a beer, if you like MIGX

            http://webcmsolutions.de/migx.html

            Thanks!
          • insightdesign Reply #5, 4 years ago
            Quote from: Bruno17 at Sep 23, 2014, 08:32 AM
            you can put them outside the web-root or into a directory with a .htaccess -file with 'Deny from all'
            Then you can create static resources for each file, and make that resources private, by putting them into resource-groups.

            Hi Bruno,

            I actually thought of this..but I was worried that the htaccess file would block any incoming traffic?? Even from a static resource??

            But I'll give it a try smiley

            Sar
            • MODX should have access to directories, protected by 'Deny from all'.
              So static resources should work there.
                -------------------------------

                you can buy me a beer, if you like MIGX

                http://webcmsolutions.de/migx.html

                Thanks!
              • discuss.answer
                insightdesign Reply #7, 4 years ago
                Quote from: Bruno17 at Sep 23, 2014, 09:48 AM
                MODX should have access to directories, protected by 'Deny from all'.
                So static resources should work there.

                So, I've done some testing and have been successful in placing files outside of the root directory and accessing them via a new Media Source!

                For anyone who needs to know what I did:

                1. Files on server - Place sensitive files outside of root directory.
                2. Media Source - Create a new 'Media Source' with the 'basePath' of '../' and 'baseUrl' of '../' and leave the other values as default. See screenshot for clarification.
                3. Static Resource - You can now create a 'Static Resource' and select sensitive files from outside of the root directory by selecting the new 'Media Source'!


                Thanks for your help guys!
                Sar
                • Thanks for sharing! This is great!! smiley
                    @hawproductions | http://mrhaw.com/

                    Infograph: MODX Advanced Install in 7 steps:
                    http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

                    Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
                    http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
                  • Be aware that static resources don't recognize Media Sources. The file browser does, which is why you can select files from a Media Source. So while this appears to work, it's very loose. What will be saved as the file path will be everything from the Media Source's base path. If you need to be more specific in your Media Source path, such as '../downloads/', that path will be lost in the actual path stored for the static resource, which might be something like 'pdfs/thisfile.pdf'. With elements, the Media Source's base_path will automatically get prepended to the partial path stored by the static element (urls are irrelevant to this particular use-case, as they won't work outside of the web root).

                    The problem is that resources have no way of storing which Media Source they are using (elements have a "source" field to indicate which Media Source they're using, as well as a "static_file" field for storing the selected file's path). So the path you get when you select the file is all that the static resource will ever have.

                    There are two ways to work around this. One is to use an absolute (relative set to No) path, such as /home/domain/downloads/, for both the base_path and the base_url. This will result in the full path being what gets put into the static resource's content, minus the leading /. This has two disadvantages. The editor has to make sure the leading / is prepended to the path, and since the whole path is stored, changing the Media Source's path won't change the path of existing static resources.

                    The way I solved this was to ignore the Media Source base_url, and have a chunk with the same path as the Media Source's base_path. This chunk tag needs to be prepended to the path in the resource's content, which can be done automatically with a plugin. If the path of the Media Source is changed, you also need to edit the chunk.
                      Studying MODX in the desert - http://sottwell.com
                      Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                      Join the Slack Community - http://modx.org