Jump to content

Security issue


imagina
 Share

Recommended Posts

I have a small demo application running as service. I can access it with a url like "http://172.26.0.0:8077".

But I can download or see any file contained in the folder where the application resides; if, by example,

in these folder I have theserver.exe file and other file called "hello.pdf", if I enter in a URL "http://172.26.0.0:8077/hello.pdf" I can download an see the file. It works like a FTP server. If I know the file name... I can download it.

However, in some situations, I want to share a file (report as a PDF); in these cases I put the file in the cache folder, that is secure, because the session id is long and eventual.

Please advice me how to avoid this behaviour.

 

Thanks

Link to comment
Share on other sites

I think that if you want more control segurity, create unigui as ISAPI, and use ISS.

 

 

i don't kwnow if it's possible, but if you need unigui app as service and you don't want use ISS, perhaps you can create a windows user, start service with this user, and grant file permissions to this user only for the files/folders that you allow to access.

Link to comment
Share on other sites

Setting permissions to user is not a solution, if there are files in the same folder is because are used by the same application. If I restrict a file then the same application server will not be able to access it. And I think (not tested) that with ISAPI there are the same behaviour.

The real problem is this:

 

h ttp://localhost:8077/../../../system.ini

 

I can access, If I know the name and where is located, any file...

 

DocJones, if you use ISAPI, put a .PDF file in the parent folder where your ISAPI application is running and then try to open with:

 

(your ip:port)/../file.pdf

 

I think that if you want more control segurity, create unigui as ISAPI, and use ISS.

 

 

i don't kwnow if it's possible, but if you need unigui app as service and you don't want use ISS, perhaps you can create a windows user, start service with this user, and grant file permissions to this user only for the files/folders that you allow to access.

Link to comment
Share on other sites

And another undesirable effect; issuing a inexistant file, UniGui application reveals the complete path:

 

URL: h ttp://server:8077/fake.pdf

 

UniGui answers:

 

File D:\Delphi\UniGui\AppSvc1\fake.pdf not found.

 

 

Setting permissions to user is not a solution, if there are files in the same folder is because are used by the same application. If I restrict a file then the same application server will not be able to access it. And I think (not tested) that with ISAPI there are the same behaviour.

The real problem is this:

 

h ttp://localhost:8077/../../../system.ini

 

I can access, If I know the name and where is located, any file...

 

DocJones, if you use ISAPI, put a .PDF file in the parent folder where your ISAPI application is running and then try to open with:

 

(your ip:port)/../file.pdf

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...