Updater URL - Updates server security

Request new features that you would like to see in the next version of Advanced Installer.

Updater URL - Updates server security

Postby hovhannest » Thu Sep 23, 2010 3:23 pm

Hello

I'm trying to minimize the vulnerability of the update server that hosts my updates (msi, exe) by limiting potential downloads only to updater.

As an example, let's consider that the following URLs (note they are rewritten) are used by updater and updates server,
updater URL : http://my_domain/downloads/product_name/updates/v15
license verification URL : http://my_domain/downloads/product_name ... fy_license

First of all the license verification URL is called by updater, and I'd like to pass some application specific token (security token) back to the updater along with success code after license verification process.

Afterwards, updater.exe starts actual downloading by calling my download URL and I'd like updater to pass my application generated token back to my application in order to verify that the request came from a valid updater (actually a client that passed verification....) rather than it was requested using browser...

Is there any such mechanism or something else that can help me to find a workaround?

Thank you in advance,
Hovhannes
hovhannest
 
Posts: 2
Joined: Thu Sep 23, 2010 2:43 pm

Re: Updater URL - Updates server security

Postby Bogdan » Fri Sep 24, 2010 2:19 pm

Hi Hovhannes,

I'm afraid there is no predefined support in Advanced Installer for this.

What you can try to do is to simply check the user-agent that accesses the URL. Our updater has the user-agent "AdvancedInstaller".
Any other user-agents should be refused, to make sure the link can be accessed only by our updater.

Regards,
Bogdan
Bogdan Mitrache - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Bogdan
 
Posts: 2602
Joined: Tue Jul 07, 2009 7:34 am

Re: Updater URL - Updates server security

Postby e1469699 » Mon Mar 03, 2014 4:36 pm

Bogdan wrote:Hi Hovhannes,

I'm afraid there is no predefined support in Advanced Installer for this.

What you can try to do is to simply check the user-agent that accesses the URL. Our updater has the user-agent "AdvancedInstaller".
Any other user-agents should be refused, to make sure the link can be accessed only by our updater.

Regards,
Bogdan

Hello my brother.
I use a Liscensing from server.
This picture is example. My URL is different with it:
Image
. My SQL and .php: okay. no problem.
But when user use a Sniffer Tool ( Network Associates Sniffer or Analyzer: a public domain protocol analyzer or Windump or Dsniff ...ect)
Then user install my soft:
Image
And at the moment, they can read and know about my URL: .php -> althought, i don't like this:
Image
Okay. But with: "User-Agent" : I want change. Can you teach me?
Please help me and for me a way: How to change?
thanks you so much
e1469699
 
Posts: 7
Joined: Mon Mar 03, 2014 4:00 pm

Re: Updater URL - Updates server security

Postby Daniel » Tue Mar 04, 2014 11:34 am

Hello and welcome to Advanced Installer forums,

Thank you for your interest in Advanced Installer.

Please take a look on the "Check String and User Agent" thread which should be useful for you.

If you have any questions just let us know.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Daniel
 
Posts: 3538
Joined: Mon Apr 02, 2012 1:11 pm

Re: Updater URL - Updates server security

Postby e1469699 » Tue Mar 04, 2014 2:59 pm

Daniel wrote:Hello and welcome to Advanced Installer forums,

Thank you for your interest in Advanced Installer.

Please take a look on the "Check String and User Agent" thread which should be useful for you.

If you have any questions just let us know.

All the best,
Daniel

Thank you so much, my brother.
But i think it is firefox. We are advancedinstaller.
It is different. Maybe, i don't know.
but can you tell me more and more...
I try config at project, but i can't find
e1469699
 
Posts: 7
Joined: Mon Mar 03, 2014 4:00 pm

Re: Updater URL - Updates server security

Postby Daniel » Wed Mar 05, 2014 2:34 pm

Hello,

You can use the implementation described in the above thread as a starting point in order to achieve what you want. Unfortunately, I'm afraid we don't have any sample PHP code which can be used for the related scenario. Therefore, you should develop your server-side validation PHP script from scratch depending on your specific scenario.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Daniel
 
Posts: 3538
Joined: Mon Apr 02, 2012 1:11 pm

Re: Updater URL - Updates server security

Postby e1469699 » Thu Mar 06, 2014 9:31 am

Daniel wrote:Hello,

You can use the implementation described in the above thread as a starting point in order to achieve what you want. Unfortunately, I'm afraid we don't have any sample PHP code which can be used for the related scenario. Therefore, you should develop your server-side validation PHP script from scratch depending on your specific scenario.

All the best,
Daniel

Thank you so much.
I try a new php code.
e1469699
 
Posts: 7
Joined: Mon Mar 03, 2014 4:00 pm

Re: Updater URL - Updates server security

Postby Daniel » Thu Mar 06, 2014 9:43 am

You're welcome.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Daniel
 
Posts: 3538
Joined: Mon Apr 02, 2012 1:11 pm

Re: Updater URL - Updates server security

Postby e1469699 » Thu Mar 06, 2014 4:57 pm

Daniel wrote:You're welcome.

All the best,
Daniel

Althought, my case is different with this thread. But i am very shy (afraid) if i create a new thread. Because my case also nearly the same (nearly identical)...
.php and .sql i used at example: http://www.advancedinstaller.com/exampl ... dation.zip
okay very good, i used RegLimit folder, and it useful for me.
but present, i want more and more: i can't know about: Ip, Idcomputer, time... when user use key.
Can you tell me more about them. I think i need repair: .php and .sql
But i am newbie at .php and .sql
Hope a miracle from you, an angel
Thanks
e1469699
 
Posts: 7
Joined: Mon Mar 03, 2014 4:00 pm

Re: Updater URL - Updates server security

Postby Daniel » Mon Mar 10, 2014 5:11 pm

Hello,

but present, i want more and more: i can't know about: Ip, Idcomputer, time... when user use key.

For this you can add your own custom code within the server-side validation script. Here are some threads which should be useful:
- Get current date and time in PHP
- Get Client IP address using PHP

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Daniel
 
Posts: 3538
Joined: Mon Apr 02, 2012 1:11 pm

Re: Updater URL - Updates server security

Postby e1469699 » Tue Mar 11, 2014 11:20 am

Daniel wrote:Hello,

but present, i want more and more: i can't know about: Ip, Idcomputer, time... when user use key.

For this you can add your own custom code within the server-side validation script. Here are some threads which should be useful:
- Get current date and time in PHP
- Get Client IP address using PHP

All the best,
Daniel

Thanks, my friend.
i try at .php
and at .sql: I need change or don't change?
Thank you so much.
(p,s. sorry because i am newbie at .php)
e1469699
 
Posts: 7
Joined: Mon Mar 03, 2014 4:00 pm

Re: Updater URL - Updates server security

Postby Daniel » Thu Mar 13, 2014 2:07 pm

Hello,

If you want to store in your databases additional users information like IP, date, etc, then you can add in your "clients" table new columns (e.g. IP, date, etc.). However, it is up to you how you want to manage the users information.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Daniel
 
Posts: 3538
Joined: Mon Apr 02, 2012 1:11 pm


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 1 guest