Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Eirik 25 posts 75 karma points
    Apr 08, 2013 @ 15:45
    Eirik
    0

    Unexpected security issue on protected content

    Hi all,

     

    I have developed a site based on Umbraco 4.7.1.1. On site site I created a protected area according to the specifications where users can log in with a username and password. Under the folder (in the content tree), I added several files. Both the folder and the files under it is shown with the "forbidden" symbol (see attached image). However, if you guess the path to the file, and filename, you are able to access and download these files without being authenticated. My files are not top secret, but its definitively a serious security issue in my opinion, unless I did something wrong ;-)

     

    Best regards,

    Eirik

  • Alex Skrypnyk 6175 posts 24176 karma points MVP 8x admin c-trib
    Apr 08, 2013 @ 16:13
    Alex Skrypnyk
    0

    When we struggled with this issue, we created custom security module. Security of folder with files should be on iis level.

    Thanks,

    Alex

  • Eirik 25 posts 75 karma points
    Apr 08, 2013 @ 16:30
    Eirik
    0

    Thanks for your reply Alex.

    I agree with you that security of folders with files can be set in IIS, but this is not a good option. We want the application (in this case Umbraco) to handle this for us, and that is also a natural place of doing it. Umbraco should know everything in terms of the structure to be able to protect files under a folder. My question if this is a security bug or intended functionality. If it is intended functionality, why is Umbraco showing the forbidden sign on the files in the content tre (in the backend). That gives at least me an impression of protected files, which they are not.

    Eirik

     

  • Alex Skrypnyk 6175 posts 24176 karma points MVP 8x admin c-trib
    Apr 08, 2013 @ 20:17
    Alex Skrypnyk
    0

    Are this files under Media Section ?

    Files are avalible via direct url ?

    Alex

  • Eirik 25 posts 75 karma points
    Apr 08, 2013 @ 20:38
    Eirik
    0

    Hi Alex,

    yes, the files under the media section

    example URL  

    If you know that path, the files are yours. Authenticated or not.

    Eirik

  • Jeavon Leopold 3074 posts 13632 karma points MVP 11x admin c-trib
    Apr 08, 2013 @ 21:17
    Jeavon Leopold
    0

    hi Eirik, i think you will need the media protect package to secure the files in the media section http://our.umbraco.org/projects/website-utilities/media-protect Jeavon

  • Alex Skrypnyk 6175 posts 24176 karma points MVP 8x admin c-trib
    Apr 08, 2013 @ 22:07
    Alex Skrypnyk
    0

    It's because static files don't processed by umbraco. You need custom functionality or just package as said Jeavon.

    Thanks

    Alex

  • Eirik 25 posts 75 karma points
    Apr 09, 2013 @ 08:53
    Eirik
    0

    I think this is something Umbraco should look into. Either find a solution, for example include a package by default (like the media protect package), or be very clear that certain items (i.e. files) are not protected even if this impression is given by the forbidden sign. I am sure that many people/organizations today, who has implemented a CMS based on Umbraco think they have protected their media-files, which is not correct. They are open for the whole world.

    Thank you for your help!

    Cheers,

    Eirik

     

Please Sign in or register to post replies

Write your reply to:

Draft