Hello,
RichWidgets has a public Popup_Upload page inside it's module.
This seems a security risk for a Production Environment since I can use this upload functionality to inject a bunch of files and make, in the end, the Database unavailable.
We can, of course, move this module to an internal zone unreachable from the Internet but we also don't know the true impact of this changes regarding internal features.
Can someone give feedback regarding this topic?
Thank you.
Hey Miguel,
Thank you so much for bringing this up, we're currently analyzing this and will update this post once we have more news.
Once again, thanks and we'll have news soon!
Rita Dias wrote:
Once again, thanks and we'll have news soon and thanks!
Hi Rita,
Thank you for your feedback. I'm glad you are looking on this.
I would like to add some other possible issues so it can be analyzed together:
ECT_Provider and EPA_Taskbox have many open pages. Of course we can disable the applications but we need to be aware of this to avoid security issues.
Example:
/ECT_Provider/ResourceUpdater.aspx
OutsystemsNowService has also info that should not be provided to the world like the Version installed in the Environment:
/OutSystemsNowService/infrastructure.aspx
Hope I could help.
Kind regards,
Miguel Sousa
We are using Outsystems 11 and still see the upload functionality. Is there any update on how to tackle this?
Thanks,
Joris Teunissen
Joris Teunissen wrote:
Hello Joris,
We have a fix coming your way. Make sure you keep your environments up to date.
This was corrected in the version 11.0.614.0 (Release Oct.2019 CP6)
More details on:
https://success.outsystems.com/Support/Security/Vulnerabilities/December_12%2C_2019_Vulnerability_RPD-4310
Our client was waiting for this one! Thanks for the update Adriano!