iSeller Commerce
iSeller POS Retail
iSeller POS F&B
iSeller POS Express
Crosslight
WebUI
ClientUI
What's New
Download Trial
Web Solution
Mobile Solution
Enterprise Solution
Custom Development
Blog
Community
Latest Development Blogs
ForumPostTopic
Browse By Tag
Hi Team,
One of our client reported this security issue when they tested with security test tool HP WebInspect software.Intersoft webgrid requires TempReports folder to be in Application root with write permissions for asp.net worker process when we use the Exporting functionality of the Webgrid.The client does not want to give full rights as it is a security threat for them.
Can we have some other alternate approach for the export functionality to work without creating files in Tempreports folder?
Please advice.
The following is the result returned by this security tool regarding the TempReports folder.
PUT Method Arbitrary File Upload ( 3427 ) View Description
Page: http://10.225.3.227:80/EnterpriseConsole/TempReports/CreatedByHP7.txt
Request:
PUT /EnterpriseConsole/TempReports/CreatedByHP7.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)
Host: 10.225.3.227
Memo: 50:Auditor.SendAsyncronousRequest:Attack(CID:3427:AS:0,EID:cd5d162d-
17e5-45e5-ae69-445dc6fbf2f3,ST:AuditAttack,AT:Other,APD:,I:
(0,0),R:False,SM:2,SID:0BC3009B71C5B9EB73C66AD48214C16D,PSID:E372FA0352031EB
5378BEF91C4CCB11D)
Content-Type: text/plain
Content-Length: 51
Referer:
Regards,Madhavan
It is the default behavior of WebGrid export feature that the ReportPath is assigned to “~/TempReports” which means the “TempReports” folder should be created under the root of the web application. The folder also needs to have enough permission to allow the asp-net worker process to write the generated output files into the folder. You can always change the ReportPath property and other report-spesific property in the ReportInfo object provided by the event argument in OnExport event.
One of the alternatives for your case is by setting the ReportPath folder to a location outside root of the web application. Please check this thread, in order to set ReportPath folder to a specific location outside root of web application.
or
Choose this if you're already a member of Intersoft Community Forum. You can link your OpenID account to your existing Intersoft Social ID.
Choose this if you don't have an Intersoft account yet. Your authenticated OpenID will be automatically linked to your new Intersoft account.
Enter your Wordpress Blogname
Creating your account...