hovhannest
Posts: 2
Joined: Thu Sep 23, 2010 2:43 pm

Updater URL - Updates server security

Thu Sep 23, 2010 3:23 pm

Hello

I'm trying to minimize the vulnerability of the update server that hosts my updates (msi, exe) by limiting potential downloads only to updater.

As an example, let's consider that the following URLs (note they are rewritten) are used by updater and updates server,
updater URL : http://my_domain/downloads/product_name/updates/v15
license verification URL : http://my_domain/downloads/product_name/updates/verify_license

First of all the license verification URL is called by updater, and I'd like to pass some application specific token (security token) back to the updater along with success code after license verification process.

Afterwards, updater.exe starts actual downloading by calling my download URL and I'd like updater to pass my application generated token back to my application in order to verify that the request came from a valid updater (actually a client that passed verification....) rather than it was requested using browser...

Is there any such mechanism or something else that can help me to find a workaround?

Thank you in advance,
Hovhannes

Bogdan
Posts: 2791
Joined: Tue Jul 07, 2009 7:34 am
Contact:  Website

Re: Updater URL - Updates server security

Fri Sep 24, 2010 2:19 pm

Hi Hovhannes,

I'm afraid there is no predefined support in Advanced Installer for this.

What you can try to do is to simply check the user-agent that accesses the URL. Our updater has the user-agent "AdvancedInstaller".
Any other user-agents should be refused, to make sure the link can be accessed only by our updater.

Regards,
Bogdan
Bogdan Mitrache - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

e1469699
Posts: 7
Joined: Mon Mar 03, 2014 4:00 pm

Re: Updater URL - Updates server security

Mon Mar 03, 2014 4:36 pm

Bogdan wrote:Hi Hovhannes,

I'm afraid there is no predefined support in Advanced Installer for this.

What you can try to do is to simply check the user-agent that accesses the URL. Our updater has the user-agent "AdvancedInstaller".
Any other user-agents should be refused, to make sure the link can be accessed only by our updater.

Regards,
Bogdan
Hello my brother.
I use a Liscensing from server.
This picture is example. My URL is different with it:
Image
. My SQL and .php: okay. no problem.
But when user use a Sniffer Tool ( Network Associates Sniffer or Analyzer: a public domain protocol analyzer or Windump or Dsniff ...ect)
Then user install my soft:
Image
And at the moment, they can read and know about my URL: .php -> althought, i don't like this:
Image
Okay. But with: "User-Agent" : I want change. Can you teach me?
Please help me and for me a way: How to change?
thanks you so much

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Updater URL - Updates server security

Tue Mar 04, 2014 11:34 am

Hello and welcome to Advanced Installer forums,

Thank you for your interest in Advanced Installer.

Please take a look on the "Check String and User Agent" thread which should be useful for you.

If you have any questions just let us know.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

e1469699
Posts: 7
Joined: Mon Mar 03, 2014 4:00 pm

Re: Updater URL - Updates server security

Tue Mar 04, 2014 2:59 pm

Daniel wrote:Hello and welcome to Advanced Installer forums,

Thank you for your interest in Advanced Installer.

Please take a look on the "Check String and User Agent" thread which should be useful for you.

If you have any questions just let us know.

All the best,
Daniel
Thank you so much, my brother.
But i think it is firefox. We are advancedinstaller.
It is different. Maybe, i don't know.
but can you tell me more and more...
I try config at project, but i can't find

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Updater URL - Updates server security

Wed Mar 05, 2014 2:34 pm

Hello,

You can use the implementation described in the above thread as a starting point in order to achieve what you want. Unfortunately, I'm afraid we don't have any sample PHP code which can be used for the related scenario. Therefore, you should develop your server-side validation PHP script from scratch depending on your specific scenario.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

e1469699
Posts: 7
Joined: Mon Mar 03, 2014 4:00 pm

Re: Updater URL - Updates server security

Thu Mar 06, 2014 9:31 am

Daniel wrote:Hello,

You can use the implementation described in the above thread as a starting point in order to achieve what you want. Unfortunately, I'm afraid we don't have any sample PHP code which can be used for the related scenario. Therefore, you should develop your server-side validation PHP script from scratch depending on your specific scenario.

All the best,
Daniel
Thank you so much.
I try a new php code.

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Updater URL - Updates server security

Thu Mar 06, 2014 9:43 am

You're welcome.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

e1469699
Posts: 7
Joined: Mon Mar 03, 2014 4:00 pm

Re: Updater URL - Updates server security

Thu Mar 06, 2014 4:57 pm

Daniel wrote:You're welcome.

All the best,
Daniel
Althought, my case is different with this thread. But i am very shy (afraid) if i create a new thread. Because my case also nearly the same (nearly identical)...
.php and .sql i used at example: http://www.advancedinstaller.com/exampl ... dation.zip
okay very good, i used RegLimit folder, and it useful for me.
but present, i want more and more: i can't know about: Ip, Idcomputer, time... when user use key.
Can you tell me more about them. I think i need repair: .php and .sql
But i am newbie at .php and .sql
Hope a miracle from you, an angel
Thanks

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Updater URL - Updates server security

Mon Mar 10, 2014 5:11 pm

Hello,
but present, i want more and more: i can't know about: Ip, Idcomputer, time... when user use key.
For this you can add your own custom code within the server-side validation script. Here are some threads which should be useful:
- Get current date and time in PHP
- Get Client IP address using PHP

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

e1469699
Posts: 7
Joined: Mon Mar 03, 2014 4:00 pm

Re: Updater URL - Updates server security

Tue Mar 11, 2014 11:20 am

Daniel wrote:Hello,
but present, i want more and more: i can't know about: Ip, Idcomputer, time... when user use key.
For this you can add your own custom code within the server-side validation script. Here are some threads which should be useful:
- Get current date and time in PHP
- Get Client IP address using PHP

All the best,
Daniel
Thanks, my friend.
i try at .php
and at .sql: I need change or don't change?
Thank you so much.
(p,s. sorry because i am newbie at .php)

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Updater URL - Updates server security

Thu Mar 13, 2014 2:07 pm

Hello,

If you want to store in your databases additional users information like IP, date, etc, then you can add in your "clients" table new columns (e.g. IP, date, etc.). However, it is up to you how you want to manage the users information.

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Feature Requests”