Support

Hi,

is it possible to avoid user to access directly to :

Our users are trying to download source file using this direct link, so we would block it and use this page only to download specific file after custom autentication and using specific button command.

they are using something like this:

GET /Mywisejsite/download.wx?x=ewAiAGYAaQBsAGUAIgA6ACIAQwA6AFwAXABpAG4AZQB0AHAAdQBiAFwAXAB3AHcAdwByAG8AbwB0AFwAXABNAGsAaQBpAEYAbwByAFcAZQBiAFwAXABFAHgAcABvAHIAdABQAEQAZgBcAFwAYQBhAGEAYQAuAHAAZABmACIALAAiAG4AYQBtAGUAIgA6ACIAYQBhAGEAYQAuAHAAZABmACIAfQA=

after sniffig traffic during download. So ,if they change the Base64 string command it is possible to download all files.

Thank you in advance

Nello Pernice

Nello Pernice asked Feb 8, 2023 - 5:07 pm

You must login to post comments

Answers (1)

It’s not possible to download all files. Just the files deployed at the root of the web site, like any web site (where the url in clear), and in temp files created by wisej to download streams then deleted. Used to be possible and even traverse (!) but it was flagged as a security issue and fixed several builds ago.

Wisej blocks anything in /bin and /App_Data and anything outside of the web site root and any “.config”, “.dll”, “.ini”, “.exe”, “.so”.

If you want to take over download.wx you can register an HttpHandler in web.config mapped to download.wx.

Luca (ITG) answered Feb 8, 2023 - 6:37 pm

You must login to post comments

Your Answer

Please login first to submit.

Download Wisej.NET datasheet Printable version (pdf)

Ask questions and get help on the Wisej.NET Forum

Explore Wisej.NET online documentation

Stop page access

Download Wisej.NET datasheet Printable version (pdf)

Ask questions and get help on the Wisej.NET Forum

Explore Wisej.NET online documentation