RichWidget - Popup_Upload - Security

  

Hello,

RichWidgets has a public Popup_Upload page inside it's module.  

This seems a security risk for a Production Environment since I can use this upload functionality to inject a bunch of files and make, in the end, the Database unavailable.

We can, of course, move this module to an internal zone unreachable from the Internet but we also don't know the true impact of this changes regarding internal features.

Can someone give feedback regarding this topic?

Thank you.

Solution

Hey Miguel,

Thank you so much for bringing this up, we're currently analyzing this and will update this post once we have more news.


Once again, thanks and we'll have news soon!

Solution

Rita Dias wrote:

Hey Miguel,

Thank you so much for bringing this up, we're currently analyzing this and will update this post once we have more news.


Once again, thanks and we'll have news soon and thanks!

Hi Rita,

Thank you for your feedback. I'm glad you are looking on this.

I would like to add some other possible issues so it can be analyzed together:

ECT_Provider and EPA_Taskbox have many open pages. Of course we can disable the applications but we need to be aware of this to avoid security issues.

Example:

/ECT_Provider/ResourceUpdater.aspx


OutsystemsNowService has also info that should not be provided to the world like the Version installed in the Environment:

/OutSystemsNowService/infrastructure.aspx


Hope I could help.

Kind regards,

Miguel Sousa