I was informed by the client that our system built on OutSystems has some vulnerabilities.
The first issue is a publicly exposed administrator login interface:
https://<<environtment>> /ECT_Provider/Login.aspx
https://<<environtment>> /users/Login.aspx
They stated that these pages can be accessed from any IP without network-level access control, and they proposed applying some measures such as:
Restricting access to non-public endpoints using the following methods: • IP allowlisting
• Requiring VPN connections
• Network segmentation
Disabling unused application components
Implementing Web Application Firewall (WAF) rules to limit misuse
Ensuring robust authentication protection: • Implementing rate limiting
• Applying account lockout policies
• Enforcing multi-factor authentication (MFA)
As part of attack surface management, regularly reviewing publicly exposed endpoints
The second problem is that they are able to access this page and upload any file they want:
https://<<environtment>>/RichWidgets/Popup_Upload.aspx
They require us to:
Implement an authorization check on the server side to verify user permissions before executing the upload process
In access control, do not rely on client-side attributes (such as disabled or hidden fields)
If the upload functionality is not required, disable the corresponding endpoint or restrict access to it
Implement strict server-side validation
Validate file types and set size limitations
Store files outside the web root
Conduct malware scans as needed
I believe these issues should be addressed by the OutSystems development team, rather than by developers who are simply using the platform like us.
But is there any way for users like me to fix this problem?
Hi,
This is a good finding from your client, and it’s a fairly common concern when working with applications built on OutSystems. While these endpoints are part of the platform, they are still your responsibility to secure at the application and infrastructure level.
1) Public Login Pages (
/users/Login.aspx
,
/ECT_Provider/Login.aspx
)
These are standard OutSystems endpoints and are public by default. This is expected behavior, but it does increase the attack surface.
You can mitigate this without changes from OutSystems by:
2) File Upload Endpoint (
/RichWidgets/Popup_Upload.aspx
This endpoint comes from OutSystems RichWidgets and can be exposed publicly if not restricted.
This is more sensitive because it may allow file uploads without proper authorization if left open.
Recommended actions:
Thanks,
Saicharan
Hello,You can use this feature to restrict access to /ServiceCenter, /Users, /ECT_Provider and any other Traditional Web application:
https://success.outsystems.com/documentation/11/security/configure_an_internal_network/
According to the documentation, this configuration method applies to self-managed environments. However, my environment has the format https://xxxx-tst1.outsystemsenterprise.com/, which indicates that my OutSystems Platform Server is managed on OutSystems' cloud, correct?
I tried using an account with administrator privileges to access the Service Center, but the interface looks different from the documentation, and I am also unable to make any changes.
So it seems your method does not work. Do I have any other options?
Regarding RichWidgets/Popup_Upload.aspx, I found a similar ticket where the staff mentioned that they had fixed this issue:
https://www.outsystems.com/forums/discussion/41206/richwidget-popup-upload-security/
However, I’m not sure how it was fixed, because I can still access that page and upload files as usual. Even though the Upload button is disabled, it can be enabled using F12 and then the upload can proceed. Although it appears that the file is not actually uploaded, I still need confirmation from OutSystems.