http://www.intersoftsolutions.com/Community/WebGrid/TempReports-folder-write-permission/http://www.intersoftsolutions.comenCopyright 2002 - 2015 Intersoft Solutions Corp. All rights reserved.60http://www.intersoftsolutions.com/Community/WebGrid/TempReports-folder-write-permission/Mon, 19 Apr 2010 08:11:52 GMTyudi<p><span style="font-family: 'segoe ui','sans-serif'; color: #1f497d; font-size: 9pt">It is the default behavior of WebGrid export feature that the ReportPath is assigned to “~/TempReports” which means the “TempReports” folder should be created under the root of the web application. The folder also needs to have enough permission to allow the asp-net worker process to write the generated output files into the folder. You can always change the ReportPath property and other report-spesific property in the ReportInfo object provided by the event argument in OnExport event.</span></p> <p><span style="font-family: 'segoe ui','sans-serif'; color: #1f497d; font-size: 9pt">One of the alternatives for your case is by setting the ReportPath folder to a location outside root of the web application. Please check <a href="http://www.intersoftpt.com/Community/WebGrid/Saving-the-location-of-export-file-to-a-location-outside-the-website/" target="_blank">this thread</a>, in order to set ReportPath folder to a specific location outside root of web application.</span></p>http://www.intersoftsolutions.com/Community/WebGrid/TempReports-folder-write-permission/Fri, 16 Apr 2010 10:10:13 GMTSkgrid@intersoftpt.com<p>Hi Team,</p> <p>One of our client reported this security issue when they tested with security test tool <span style="font-family: 'calibri','sans-serif'; color: #1f497d; font-size: 11pt; mso-fareast-font-family: calibri; mso-fareast-theme-font: minor-latin; mso-bidi-font-family: 'times new roman'; mso-ansi-language: en-us; mso-fareast-language: en-us; mso-bidi-language: ar-sa"><em>HP WebInspect</em></span><span style="font-family: 'calibri','sans-serif'; color: #1f497d; font-size: 11pt; mso-fareast-font-family: calibri; mso-fareast-theme-font: minor-latin; mso-bidi-font-family: 'times new roman'; mso-ansi-language: en-us; mso-fareast-language: en-us; mso-bidi-language: ar-sa"> software.Intersoft webgrid requires TempReports folder&nbsp;to be in Application root with write permissions for asp.net worker&nbsp;process when we use the Exporting functionality of the Webgrid.The client does not want to give full rights&nbsp;as it is a security threat for them.</span></p> <p><span style="font-family: 'calibri','sans-serif'; color: #1f497d; font-size: 11pt; mso-fareast-font-family: calibri; mso-fareast-theme-font: minor-latin; mso-bidi-font-family: 'times new roman'; mso-ansi-language: en-us; mso-fareast-language: en-us; mso-bidi-language: ar-sa">Can we have some other alternate approach for the export functionality to work without creating files in Tempreports folder?</span></p> <p><span style="font-family: 'calibri','sans-serif'; color: #1f497d; font-size: 11pt; mso-fareast-font-family: calibri; mso-fareast-theme-font: minor-latin; mso-bidi-font-family: 'times new roman'; mso-ansi-language: en-us; mso-fareast-language: en-us; mso-bidi-language: ar-sa">Please advice.</span></p> <p><span style="font-family: 'calibri','sans-serif'; color: #1f497d; font-size: 11pt; mso-fareast-font-family: calibri; mso-fareast-theme-font: minor-latin; mso-bidi-font-family: 'times new roman'; mso-ansi-language: en-us; mso-fareast-language: en-us; mso-bidi-language: ar-sa">The following is the result returned by this security tool regarding the TempReports folder.</span></p><span style="font-family: 'calibri','sans-serif'; color: #1f497d; font-size: 11pt; mso-fareast-font-family: calibri; mso-fareast-theme-font: minor-latin; mso-bidi-font-family: 'times new roman'; mso-ansi-language: en-us; mso-fareast-language: en-us; mso-bidi-language: ar-sa"><p class="MsoNormal" style="margin: 0in 0in 0pt"><b><span style="color: black; font-size: 10pt">PUT Method Arbitrary File Upload ( 3427 ) </span></b><span style="color: black; font-size: 10pt">View Description</span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><b><span style="color: black; font-size: 10pt">Page: </span></b><span style="color: black; font-size: 10pt"><a href="http://10.225.3.227/EnterpriseConsole/TempReports/CreatedByHP7.txt">http://10.225.3.227:80/EnterpriseConsole/TempReports/CreatedByHP7.txt</a></span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><b><span style="color: black; font-size: 10pt">Request: </span></b></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><span style="color: black; font-size: 10pt">PUT /EnterpriseConsole/TempReports/CreatedByHP7.txt HTTP/1.1</span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><span style="color: black; font-size: 10pt">User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR</span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><span style="color: black; font-size: 10pt">1.1.4322)</span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><span style="color: black; font-size: 10pt">Host: 10.225.3.227</span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><span style="color: black; font-size: 10pt">Memo: 50:Auditor.SendAsyncronousRequest:Attack(<a href="cid:3427:AS:0,EID:cd5d162d-">CID:3427:AS:0,EID:cd5d162d-</a></span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><span style="color: black; font-size: 10pt">17e5-45e5-ae69-445dc6fbf2f3,ST:AuditAttack,AT:Other,APD:,I:</span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><span style="color: black; font-size: 10pt">(0,0),R:False,SM:2,SID:0BC3009B71C5B9EB73C66AD48214C16D,PSID:E372FA0352031EB</span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><span style="color: black; font-size: 10pt">5378BEF91C4CCB11D)</span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><span style="color: black; font-size: 10pt">Content-Type: text/plain</span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><span style="color: black; font-size: 10pt">Content-Length: 51</span></p><p class="MsoNormal" style="margin: 0in 0in 0pt"><span style="color: black; font-size: 10pt">Referer:</span></p><p>&nbsp;&nbsp;</p><p>Regards,<br />Madhavan</p></span>