131
Views
6
Comments
Solved
RichWidget - Popup_Upload - Security

Hello,

RichWidgets has a public Popup_Upload page inside it's module.  

This seems a security risk for a Production Environment since I can use this upload functionality to inject a bunch of files and make, in the end, the Database unavailable.

We can, of course, move this module to an internal zone unreachable from the Internet but we also don't know the true impact of this changes regarding internal features.

Can someone give feedback regarding this topic?

Thank you.

Rita Dias
Staff
Rank: #0
Solution

Hey Miguel,

Thank you so much for bringing this up, we're currently analyzing this and will update this post once we have more news.


Once again, thanks and we'll have news soon!

Rank: #1107

Rita Dias wrote:

Hey Miguel,

Thank you so much for bringing this up, we're currently analyzing this and will update this post once we have more news.


Once again, thanks and we'll have news soon and thanks!

Hi Rita,

Thank you for your feedback. I'm glad you are looking on this.

I would like to add some other possible issues so it can be analyzed together:

ECT_Provider and EPA_Taskbox have many open pages. Of course we can disable the applications but we need to be aware of this to avoid security issues.

Example:

/ECT_Provider/ResourceUpdater.aspx


OutsystemsNowService has also info that should not be provided to the world like the Version installed in the Environment:

/OutSystemsNowService/infrastructure.aspx


Hope I could help.

Kind regards,

Miguel Sousa





Rank: #21874

Rita Dias wrote:

Hey Miguel,

Thank you so much for bringing this up, we're currently analyzing this and will update this post once we have more news.


Once again, thanks and we'll have news soon!

Hi Rita,

We are using Outsystems 11 and still see the upload functionality. Is there any update on how to tackle this?

Thanks,

Kind regards,

Joris Teunissen


Staff
Rank: #3493

Joris Teunissen wrote:

Rita Dias wrote:

Hey Miguel,

Thank you so much for bringing this up, we're currently analyzing this and will update this post once we have more news.


Once again, thanks and we'll have news soon!

Hi Rita,

We are using Outsystems 11 and still see the upload functionality. Is there any update on how to tackle this?

Thanks,

Kind regards,

Joris Teunissen


Hello Joris,

We have a fix coming your way. Make sure you keep your environments up to date.


Hello,

This was corrected in the version 11.0.614.0 (Release Oct.2019 CP6)

More details on:

https://success.outsystems.com/Support/Security/Vulnerabilities/December_12%2C_2019_Vulnerability_RPD-4310

mvp_badge
MVP
Rank: #72

Our client was waiting for this one! Thanks for the update Adriano!