A quick glance suggest that the following folders should be denied access by the web user:
/data /xslt /python
Python isn't a risk since, I suspect, .py files are not registered by default with IIS. However, a python write might be tempted to put some senstive files next to their .py file in this folder.
Other folders such as usercontrols, config and masterpages are protected since .aspx, .ascx, .cs, .config are already protected by default by ASP.NET.
I've only just started my experience with Umbraco, and perhaps I'm missing something here, but surely these should be protected by default?
There are various solutions:
Add handlers for files in the folders - e.g. set a 404 or access denied handler for xslt/*, etc
A question about those methods: I the IIS site is not passing say .xslt extensions through to the asp_net isaapi, then would the web.config setting help anything? I'm guessing that you cannot guarantee a protection of static files by asp.net configuration alone. You would have to lock down your IIS site as well, or make sure that every request goes through asp.net. Is this a correct assumption?
If it is, then it may provide a false sense of security if people assume that they are protected, even if they are actually not?
On the other hand, maybe you can secure a percentage of sites by default, and the others will have to config themselves.
I have seen a couple of blogposts around on how to lock down your umbraco installation when going into production. This is one of them:
Sorry, I should have clarified that this is IIS 7 and therefore the protection is possible. Of course, that would mean that pre-v7 wouldn't be protected.
Maybe Umbraco should allow those folders to be hosted outside of the website root if the owner prefers?
The owner can still lock down the folders using other methods like the ones described in pauls blog, so I don't think it is a big issue as such. However I see a point in providing the information to the users so that they are aware that they need to handle this.
Looking at Paul's blog, there is nothing more there than the readme.txt in the web site root. But these just harden the access that the app pool user has, it isn't doing anything to restrict access that the end-user has.
Although Umbraco does a check to see if it can run, I'd like to see it also do a check and highlight issues such as these - even if it cannot do anything itself about it. To me, the files in those folders are source files and data files that a web application should protect (or at least highlight that they need protection).
Umbraco exposing too much???
Hi
In my response to the post at http://our.umbraco.org/forum/developers/xslt/3410-How-secure-would-this-REST-call-be-in-XSLT, it got me realising that Umbraco allows too much access to its folders such as /xslt and /data. For instance http://heinz.com/data/access.xml, although is empty, could hold some information that may be useful to a potential hacker. I couldn't find any sites that I could access xslt, but that's probably because one needs to guess the names of the xslt first.
A quick glance suggest that the following folders should be denied access by the web user:
/data
/xslt
/python
Python isn't a risk since, I suspect, .py files are not registered by default with IIS. However, a python write might be tempted to put some senstive files next to their .py file in this folder.
Other folders such as usercontrols, config and masterpages are protected since .aspx, .ascx, .cs, .config are already protected by default by ASP.NET.
I've only just started my experience with Umbraco, and perhaps I'm missing something here, but surely these should be protected by default?
There are various solutions:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
</authorization>
</security>
</system.webServer>
</configuration>
Either 2 or 3 would be my preferred option. None seem to break Umbraco.
I'd be interested on peoples thoughts.
Regards
Lee
A question about those methods: I the IIS site is not passing say .xslt extensions through to the asp_net isaapi, then would the web.config setting help anything? I'm guessing that you cannot guarantee a protection of static files by asp.net configuration alone. You would have to lock down your IIS site as well, or make sure that every request goes through asp.net. Is this a correct assumption?
If it is, then it may provide a false sense of security if people assume that they are protected, even if they are actually not?
On the other hand, maybe you can secure a percentage of sites by default, and the others will have to config themselves.
I have seen a couple of blogposts around on how to lock down your umbraco installation when going into production. This is one of them:
http://www.motusconnect.com/blog/2009/3/6/umbraco-security-best-practices
Hi Morten
Sorry, I should have clarified that this is IIS 7 and therefore the protection is possible. Of course, that would mean that pre-v7 wouldn't be protected.
Maybe Umbraco should allow those folders to be hosted outside of the website root if the owner prefers?
Lee
The owner can still lock down the folders using other methods like the ones described in pauls blog, so I don't think it is a big issue as such. However I see a point in providing the information to the users so that they are aware that they need to handle this.
Hi Morten
Looking at Paul's blog, there is nothing more there than the readme.txt in the web site root. But these just harden the access that the app pool user has, it isn't doing anything to restrict access that the end-user has.
Although Umbraco does a check to see if it can run, I'd like to see it also do a check and highlight issues such as these - even if it cannot do anything itself about it. To me, the files in those folders are source files and data files that a web application should protect (or at least highlight that they need protection).
Regards
Lee
is working on a reply...