You are here: Foswiki>Tasks Web>Item15 (04 Apr 2009, GilmarSantosJr)Edit Attach

Item15: ChartPlugin has an insecurity-issue

pencil
Priority: Normal
Current State: No Action Required
Released In:
Target Release: n/a
Applies To: Extension
Component: ChartPlugin
Branches:
Reported By: MartinSeibert
Waiting For:
Last Change By: GilmarSantosJr
The ChartPlugin generates files with graphs from tables. Those files are stored in the /pub/-folder. That means, that all these files can be accessed, without any login although for example a public Extranet of a company is completely closed to users with accounts.

I saw the Output-description, but could not decipher, if this problem could be solved by a different parameter.

Is this an error in the plugin or the configuration?

This issue is a general issue: all files under pub/ can be viewed without going through access checks. If this is an issue, you need to set up secure attachments:

TWiki/TWikiAccessControl#Controlling_access_to_Attachment

-- KoenMartens - 30 Oct 2008

Thanks a lot.

-- MartinSeibert - 30 Oct 2008

Shouldn't that be secured by default with new installations?

-- MartinSeibert - 30 Oct 2008

The problem with this default is that viewfile is a heavy script and it adds a huge load on the server. Since this issue is documented, I marked this as No action required

-- GilmarSantosJr - 04 Apr 2009

ItemTemplate edit

Summary ChartPlugin has an insecurity-issue
ReportedBy MartinSeibert
Codebase
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Extension
Component ChartPlugin
Priority Normal
CurrentState No Action Required
WaitingFor
Checkins
TargetRelease n/a
ReleasedIn
Edit  | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r5 - 04 Apr 2009, GilmarSantosJr
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy