You are viewing limited content. For full access, please sign in.

Question

Question

Public Portal Navigation.

WebLink Security
Updated April 30, 2015
asked on April 15, 2015

I need some clarification on how this is supposed to work because this seems very insecure to me.

 

When a client of mine has a "read only" user log into the public portal they are still able to navigate their folder structure by manipulating the URL address. This user cannot see the contents of these folders but they are able to read folder names that this user has no rights to. This would allow someone to gain knowledge that could potentially be used for malicious intent. If this same user logs into the client they do not see this folder structure as expected. 

Does enabling SSL do anything for this URL manipulation issue?

 

 

We also need to be able to remove the breadcrumb trail at the top of the folder navigation window. the "show breadcrumb" option is unchecked and its still showing. 

Folder Access.png
Folder Navigation.png
Folder Access.png (50.85 KB)
Download
Folder Navigation.png (29.94 KB)
Download
1 0

Replies

replied on April 15, 2015

Thanks for reporting this. We'll look into the matter. As for the breadcrumb, the "Show breadcrumb" option in the WebLink Designer only applies to the one in the document viewer. However, if you want to hide the one on browse.aspx, then you can edit that file and look for

<div class="Breadcrumb">

and change that to

<div class="Breadcrumb" style="display:none">
0 0
replied on April 30, 2015

"Does enabling SSL do anything for this URL manipulation issue?". No, a user can still manipulate the URL easily.

0 0
replied on April 30, 2015 Show version history

It appears that the logic in the method (WEBLINK 9.0) is incorrect as all of the controls will get ID before an actually permissions check is performed. Until this is corrected I have modified the SetBrowserStartID sub to completely fail if the user does not have permission to the folder. Unfortunately this will require recompiling of WebLink.

1. Open Browse.aspx.vb in Visual Studio or favorite text editor.

2. Locate "Private Sub SetBrowserStartID(ByVal FolderID As Integer)".

3. Copy the following code and paste over the original:

        Try
            Dim entry As ILFEntry = m_Conn.GetEntryFromCache(FolderID, False)
            Dim effRights As ILFEffectiveRights = entry.EffectiveRights
            If effRights.HasRight(Access_Right.ENTRY_BROWSE) Then

                TheFolderMetadata.SetFolder(FolderID)
                TheFolderRssLink.FolderId = FolderID
                TheDocumentBrowser.FolderID = FolderID
                FolderBreadcrumbNavigation.EntryID = FolderID
                DocBrowseSearch.CurrentFolder = FolderID
                TheFolderRssLink.FolderId = FolderID
                Session(OpenFolderSessionVariable) = FolderID

                Dim FolderName As String
                If FolderID = 1 Then
                    FolderName = m_Conn.Database.Name
                Else
                    FolderName = entry.DisplayName
                End If
                ResizeBreadcrumbScript.Text = String.Format("<script>{0}</script>", "(function(){function a(){var c=(function(){var d=0,f=0;if(typeof(window.innerWidth)==""number""){d=window.innerWidth;f=window.innerHeight}else{if(document.documentElement&&(document.documentElement.clientWidth||document.documentElement.clientHeight)){d=document.documentElement.clientWidth;f=document.documentElement.clientHeight}else{if(document.body&&(document.body.clientWidth||document.body.clientHeight)){d=document.body.clientWidth;f=document.body.clientHeight}}}return{w:d,h:f}})();var e=document.getElementById(""FolderBreadcrumbNavigation"");var b=c.w-290;e.parentNode.parentNode.style.width=b+""px""}a();window.onresize=a})();")
                Page.Title = Server.HtmlEncode(FolderName) + " - " + m_strings.GetString("STR_LASERFICHE_WEBLINK")
            Else
                ' Build message logged to file
                Dim lfConn As ILFConnection = m_Conn.Database.CurrentConnection
                Dim logErrMsg As String = String.Format(m_strings.GetString("STR_ENTRY_PERMISSION_DENIED"), entry.ID) & " User (" & lfConn.UserName & ") does not have the read permissions on the entry."
                WLConnection.LogError(LogLevel.LOGLEVEL_DEBUG, 0, logErrMsg, Session.SessionID)
            End If
        Catch ex As Exception
            WLConnection.LogError(LogLevel.LOGLEVEL_IMPORTANT, 0, ex, Session.SessionID)
            If Not Request.IsLocal Then
                Server.Transfer("Error.aspx")
            Else
                Throw
            End If
        End Try

4. Save the file and recompile.

 

Hope this helps!

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Attachments
Related Posts
Loading ...