Website Web Visitor Monitor ==> file:///Users/jasonfarnham/Desktop/Desktop/christmas

17 views
Skip to first unread message

Lynn Nagrani

unread,
May 19, 2012, 11:44:55 AM5/19/12
to atlan...@googlegroups.com
My website has chat with real time monitor all my web visitors.  Every now and then I see a present link like:

file:///Users/jasonfarnham/Desktop/Desktop/christmas

I'm guessing this means a web visitor is somehow downloading one of my web pages.  I have tried to get file:///Users . . . to show up from my computer but have been unable to do so.  I've added the web visitor IP address to the Deny Table every time I see this.  Am I over reacting or what is happening here?

1- Is this a security problem?
2 - How do I make file://. . . . show up on my web visitor monitor list?

Thanks loads for any info.
Lynn Nagrani

Kevin Roberts

unread,
May 20, 2012, 7:05:44 PM5/20/12
to atlan...@googlegroups.com
Hi Lynne.

I'm not the security expert in the group, but it appears to me that a person clicking on that link would end up with the file loading into their browser from the local file system on their own machine (not yours) provided the file actually exists at that location and provided the href of the link in the comment is pointing to the same place.

Kevin

Frank Rietta

unread,
May 22, 2012, 3:08:28 PM5/22/12
to atlan...@googlegroups.com
On Saturday, May 19, 2012 11:44:55 AM UTC-4, Lynn Nagrani wrote:
My website has chat with real time monitor all my web visitors.  Every now and then I see a present link like:

file:///Users/jasonfarnham/Desktop/Desktop/christmas

I'm guessing this means a web visitor is somehow downloading one of my web pages.  I have tried to get file:///Users . . . to show up from my computer but have been unable to do so.  I've added the web visitor IP address to the Deny Table every time I see this.  Am I over reacting or what is happening here?

Lynn,

You are correct that a URL beginning with file:// references a local file on the visitor's computer.  You will not have access to that path on your system and thus I wouldn't worry about it much if I were you.  It is typical to see local files as referrer URLS when either someone has saved a page that links to yours on their local computer or if they are the recipient of a message from one of the "Email This Page" button that is in the File menu of many browsers.

I am not aware of any extraordinary security vulnerabilities that you would face from having the chat widget on your site that is copied to a user's local system. At worse you might get a little spam.  I do not see how that would enable an adversary to gain access to your systems.  Be sure to pay attention to the usual cross-site request forgery vulnerabilities on your server-side coding and you will be fine.

If you are concerned with website security in general, a good resource to start with is the OWASP TOP 10 list at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.  If in your website coding, you actively address all of those issues then you are well on your way to being one of the most secure websites on the internet!

I hope this helps.

Frank
Reply all
Reply to author
Forward
0 new messages