imagina Posted March 8, 2012 Posted March 8, 2012 I have a small demo application running as service. I can access it with a url like "http://172.26.0.0:8077". But I can download or see any file contained in the folder where the application resides; if, by example, in these folder I have theserver.exe file and other file called "hello.pdf", if I enter in a URL "http://172.26.0.0:8077/hello.pdf" I can download an see the file. It works like a FTP server. If I know the file name... I can download it. However, in some situations, I want to share a file (report as a PDF); in these cases I put the file in the cache folder, that is secure, because the session id is long and eventual. Please advice me how to avoid this behaviour. Thanks Quote
docjones Posted March 8, 2012 Posted March 8, 2012 I think that if you want more control segurity, create unigui as ISAPI, and use ISS. i don't kwnow if it's possible, but if you need unigui app as service and you don't want use ISS, perhaps you can create a windows user, start service with this user, and grant file permissions to this user only for the files/folders that you allow to access. Quote
imagina Posted March 9, 2012 Author Posted March 9, 2012 Setting permissions to user is not a solution, if there are files in the same folder is because are used by the same application. If I restrict a file then the same application server will not be able to access it. And I think (not tested) that with ISAPI there are the same behaviour. The real problem is this: h ttp://localhost:8077/../../../system.ini I can access, If I know the name and where is located, any file... DocJones, if you use ISAPI, put a .PDF file in the parent folder where your ISAPI application is running and then try to open with: (your ip:port)/../file.pdf I think that if you want more control segurity, create unigui as ISAPI, and use ISS. i don't kwnow if it's possible, but if you need unigui app as service and you don't want use ISS, perhaps you can create a windows user, start service with this user, and grant file permissions to this user only for the files/folders that you allow to access. Quote
imagina Posted March 9, 2012 Author Posted March 9, 2012 And another undesirable effect; issuing a inexistant file, UniGui application reveals the complete path: URL: h ttp://server:8077/fake.pdf UniGui answers: File D:\Delphi\UniGui\AppSvc1\fake.pdf not found. Setting permissions to user is not a solution, if there are files in the same folder is because are used by the same application. If I restrict a file then the same application server will not be able to access it. And I think (not tested) that with ISAPI there are the same behaviour. The real problem is this: h ttp://localhost:8077/../../../system.ini I can access, If I know the name and where is located, any file... DocJones, if you use ISAPI, put a .PDF file in the parent folder where your ISAPI application is running and then try to open with: (your ip:port)/../file.pdf Quote
bbm Posted August 18, 2022 Posted August 18, 2022 Hi, is there any solution for that problem. Currently we have a pen test with our application and it seems that we get a red flag beacause of this problem! Best regards Quote
irigsoft Posted August 18, 2022 Posted August 18, 2022 1 hour ago, bbm said: Hi, is there any solution for that problem. Currently we have a pen test with our application and it seems that we get a red flag beacause of this problem! Best regards Hello, do you see this topic, everything is written there, solutions are also indicated. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.