Main
Index 		Search
Posts 		Who's
Online 		Log
In

Home: Discontinued/Classic Products: Article Manager 1 Add-ons:
Security-hazzard

 
 


SimonAdrian
User

May 30, 2006, 10:58 AM

Post #1 of 4 (2972 views)
Shortcut
Security-hazzard Can't Post
Maybe my knowledge of viruses isn't uptodate, but it seems to me that it is a security-hazzard that any writer can upload pictures or other files even though his article is still pending.

Thats what happens if you use the uploading-feature. The file goes right up on the server, while the article waits for approval.

So is there some way that you can disable the uploading-feature in some categories and enable them in others.

Especially in connection with the suggestion in the tutorial for Articel Manager about letting any visitor write without password.


Donna
Staff / Moderator


May 30, 2006, 4:57 PM

Post #2 of 4 (2964 views)
Shortcut
Re: [SimonAdrian] Security-hazzard [In reply to] Can't Post
Hi Simon,

Thanks for your email.

This isn't actually an issue, since image files are benign. Article Manager lets you designate what file extensions are allowable. While we would recommend strongly against allowing, for example, a .php file to be uploaded on a system that allows non-trusted users to create articles, there's no harm in allowing the .jpg and .gif files that are allowed by default. There is absolutely no way for a jpg or a gif to cause any security issue to your server.

I hope this helps. :) Let me know if you have any other questions about security in Article Manager!

Donna

--
support@interactivetools.com


SimonAdrian
User

May 31, 2006, 1:02 AM

Post #3 of 4 (2961 views)
Shortcut
Re: [Donna] Security-hazzard [In reply to] Can't Post
Hi Donna

Then how about xml-files. Are there any security-risk uploading them.

Apart from a possible risk the reason why I'm asking is that I plan to allow a lot of writers to update, but only some few trusted through xml-uploads - the rest shouldnt be allowed to upload xml-files.
So is there a way you can disable the upload-possibility for some categorys. If not I would like to suggest it in a new version.
Besides I would like to preview their uploads before they are on the web.

Best regards
Simon


Donna
Staff / Moderator


May 31, 2006, 12:03 PM

Post #4 of 4 (2951 views)
Shortcut
Re: [SimonAdrian] Security-hazzard [In reply to] Can't Post
Hi Simon,

As far as I know, XML files are just text, and non-executable, so they shouldn't cause any problems. I haven't researched them extensively, but I can't think of how they would be any problem.

While there's no method to allow uploads for some categories only, you could modify the writer interface templates so that those with Writer-level accounts cannot use the upload file facility. That way, those with regular level accounts could still upload files, but writers couldn't. Would that work for you?

Just so you know -- all files that are uploaded ARE on the web right away. They're automatically put into the uploads directory. However, one would have to know the address to them to see them -- they're not linked from anywhere until you've approved the article, or created another link elsewhere. But any file uploaded is, by definition, on the web.

I hope this helps. :)

Donna

--
support@interactivetools.com