TempReports folder write permission

1 reply. Last post: April 19, 2010 8:11 AM by Yudi
Tags :
  • (None)
  • New Discussion
  • New Question
  • New Product Feedback
Madhavan GMember

Hi Team,

One of our client reported this security issue when they tested with security test tool HP WebInspect software.Intersoft webgrid requires TempReports folder to be in Application root with write permissions for asp.net worker process when we use the Exporting functionality of the Webgrid.The client does not want to give full rights as it is a security threat for them.

Can we have some other alternate approach for the export functionality to work without creating files in Tempreports folder?

Please advice.

The following is the result returned by this security tool regarding the TempReports folder.

PUT Method Arbitrary File Upload ( 3427 ) View Description

Page: http://10.225.3.227:80/EnterpriseConsole/TempReports/CreatedByHP7.txt

Request:

PUT /EnterpriseConsole/TempReports/CreatedByHP7.txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR

1.1.4322)

Host: 10.225.3.227

Memo: 50:Auditor.SendAsyncronousRequest:Attack(CID:3427:AS:0,EID:cd5d162d-

17e5-45e5-ae69-445dc6fbf2f3,ST:AuditAttack,AT:Other,APD:,I:

(0,0),R:False,SM:2,SID:0BC3009B71C5B9EB73C66AD48214C16D,PSID:E372FA0352031EB

5378BEF91C4CCB11D)

Content-Type: text/plain

Content-Length: 51

Referer:

  

Regards,
Madhavan

All times are GMT -5. The time now is 2:12 AM.
Previous Next