I have developed a site based on Umbraco 4.7.1.1. On site site I created a protected area according to the specifications where users can log in with a username and password. Under the folder (in the content tree), I added several files. Both the folder and the files under it is shown with the "forbidden" symbol (see attached image). However, if you guess the path to the file, and filename, you are able to access and download these files without being authenticated. My files are not top secret, but its definitively a serious security issue in my opinion, unless I did something wrong ;-)
I agree with you that security of folders with files can be set in IIS, but this is not a good option. We want the application (in this case Umbraco) to handle this for us, and that is also a natural place of doing it. Umbraco should know everything in terms of the structure to be able to protect files under a folder. My question if this is a security bug or intended functionality. If it is intended functionality, why is Umbraco showing the forbidden sign on the files in the content tre (in the backend). That gives at least me an impression of protected files, which they are not.
I think this is something Umbraco should look into. Either find a solution, for example include a package by default (like the media protect package), or be very clear that certain items (i.e. files) are not protected even if this impression is given by the forbidden sign. I am sure that many people/organizations today, who has implemented a CMS based on Umbraco think they have protected their media-files, which is not correct. They are open for the whole world.
Unexpected security issue on protected content
Hi all,
I have developed a site based on Umbraco 4.7.1.1. On site site I created a protected area according to the specifications where users can log in with a username and password. Under the folder (in the content tree), I added several files. Both the folder and the files under it is shown with the "forbidden" symbol (see attached image). However, if you guess the path to the file, and filename, you are able to access and download these files without being authenticated. My files are not top secret, but its definitively a serious security issue in my opinion, unless I did something wrong ;-)
Best regards,
Eirik
When we struggled with this issue, we created custom security module. Security of folder with files should be on iis level.
Thanks,
Alex
Thanks for your reply Alex.
I agree with you that security of folders with files can be set in IIS, but this is not a good option. We want the application (in this case Umbraco) to handle this for us, and that is also a natural place of doing it. Umbraco should know everything in terms of the structure to be able to protect files under a folder. My question if this is a security bug or intended functionality. If it is intended functionality, why is Umbraco showing the forbidden sign on the files in the content tre (in the backend). That gives at least me an impression of protected files, which they are not.
Eirik
Are this files under Media Section ?
Files are avalible via direct url ?
Alex
Hi Alex,
yes, the files under the media section
example URL
If you know that path, the files are yours. Authenticated or not.
Eirik
hi Eirik, i think you will need the media protect package to secure the files in the media section http://our.umbraco.org/projects/website-utilities/media-protect Jeavon
It's because static files don't processed by umbraco. You need custom functionality or just package as said Jeavon.
Thanks
Alex
I think this is something Umbraco should look into. Either find a solution, for example include a package by default (like the media protect package), or be very clear that certain items (i.e. files) are not protected even if this impression is given by the forbidden sign. I am sure that many people/organizations today, who has implemented a CMS based on Umbraco think they have protected their media-files, which is not correct. They are open for the whole world.
Thank you for your help!
Cheers,
Eirik
is working on a reply...