RichWidget - Popup_Upload - Security

Miguel Sousa

Rank: #1107

Solved

RichWidget - Popup_Upload - Security

Question

OutSystems 10

Security

Hello,

RichWidgets has a public Popup_Upload page inside it's module.

This seems a security risk for a Production Environment since I can use this upload functionality to inject a bunch of files and make, in the end, the Database unavailable.

We can, of course, move this module to an internal zone unreachable from the Internet but we also don't know the true impact of this changes regarding internal features.

Can someone give feedback regarding this topic?

Thank you.

on 2018-10-17

Rita Dias

Staff

Rank: #0

Solution

Hey Miguel,

Thank you so much for bringing this up, we're currently analyzing this and will update this post once we have more news.

Once again, thanks and we'll have news soon!

on 2018-10-17

3 replies

Last reply on 2020-02-06

Show thread

Hide thread

Miguel Sousa

Rank: #1107

Rita Dias wrote:

Hey Miguel,

Thank you so much for bringing this up, we're currently analyzing this and will update this post once we have more news.

Once again, thanks and we'll have news soon and thanks!

Hi Rita,

Thank you for your feedback. I'm glad you are looking on this.

I would like to add some other possible issues so it can be analyzed together:

ECT_Provider and EPA_Taskbox have many open pages. Of course we can disable the applications but we need to be aware of this to avoid security issues.

Example:

/ECT_Provider/ResourceUpdater.aspx

OutsystemsNowService has also info that should not be provided to the world like the Version installed in the Environment:

/OutSystemsNowService/infrastructure.aspx

Hope I could help.

Kind regards,

Miguel Sousa

on 2018-10-17

Joris Teunissen

Rank: #21874

Rita Dias wrote:

Hey Miguel,