LarryM wrote:
>This has probably been discussed many times but I can't find
>any good answers so I must ask (again):
>
>1. Which files can a visitor browse? Is he restricted
>to the webdirectory and the subdirectories?
Yes, only the document root and subdirs are accessible.
>If he knows the
>path to a certain file on the server outside the
>webdirectory, is he then also able to browse or edit or
>download it?
No, as long as there are no security holes. There are sites where it's
possible to run malicious code from outside. So be _very_ careful if
you use server side scripting and something like this:

[url]www.example.com/?showpage=news.txt[/url]

It's in general bad design and might become a big security hole, when
the paramter 'showpage' is not checked correctly. Unfortunately the
following is possible on many sites (running Linux for example):

[url]www.example.com/?showpage=/etc/passwd[/url]
>2. Can you use hidden directories on the server for
>certain files?
Yes, but makes no real sense. Below the document root they're
browsable if the user knows the name and outside the docroot it's not
necessary because it's no real protection.
>3. Is there a way to protect for instance imagefiles?
It depends: If you try to prevent the user from storing your images to
disk then the answer is no.
>I hope that, if you are using ASP, that the ASPcode can
>refer to directories and files outside the webdirectory, and
>then be able to display for instance image files that are
>otherwise not visible to a user?
Should be possible.
>4. What is the way to browse the files on a website?
>5. All these bank web sites and e trade sites - of
>course you cannot browse their files, but how do you
>construct such protection?
Depends on the server configuration. You can protect directories and
hierarchies with a .htaccess (Apache) or put an index.html in that dir
which shows an error message or forwards to a 403-page (403 is the
HTTP-error "forbidden"). Read your server manual or ask your provider.

Micha