Simple folder gallery security problem and more

Post here for help with installing or upgrading mojoPortal pre-compiled release packages. When posting in this forum, please provide all relevant details. You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

Post here for help with installation of mojoPortal pre-compiled release packages

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

This thread is closed to new posts. You must sign in to post in the forums.
9/3/2009 7:45:26 AM
Finnur
Gravatar
Total Posts 34
View Posts

Simple folder gallery security problem and more

Operating system: Windows Server 2008 Standard SP2
MS SQL Server 2008 Standard
mojoPortal 2.3.1.6

I was testing the Simple folder gallery with the new version to see how the new multi-file upload works. Uploading individual picture files and viewing their thumbnails and initial preview works OK. However if I click on the preview to open the picture fullsize in a new window I get the following: 401 - Unauthorized: Access is denied due to invalid credentials.

Also when adding pictures with the HTML module I get similar behaviour, no error but the pictures don't display. This BTW works OK on my other server that is running MP 2.3.1.0 MSSQL. Which as far as I know has the data directory security with the same settings as on this server.

I did allow the "Network Service" and IIS_USR accounts full read and write access to the Data directory and all its subdirectories but for some reason, new files uploaded into the subdirectories don't get this permissions. Previously with the earlier versions of mojoPortal I had just copied the picture files directly into place through Remote Desktop without problems.

And another thing. I could only select one file at a time to add to the upload list. I thought the new NeatUpload should allow for selecting multiple files (via Ctrl+..) within the File Open dialog but that did not work, at least in IE7 and IE8.

PS
In my wildest dreams I dream about a CMS that stores everything in the database, pictures included. That would make deployment and management so much easier. Now with the new FILESTREAM data type in MS SQL Server 2008 this is becoming more realistic if you don't care about database portability. See: https://connect.microsoft.com/SQLServer/content/content.aspx?ContentID=6979

 

9/3/2009 8:53:56 AM
Finnur
Gravatar
Total Posts 34
View Posts

Re: Simple folder gallery security problem and more

Looking at Brettle's documentation for NeatUpload I can see that multifile selection is not enabled by default. But looking at the web.config file it is not obvious where to enable multifile selection.

See: http://www.brettle.com/NeatUpload-1.3/dotnet/docs/Manual.html#0.0.2.Allowing Users with Flash to Select Multiple Files from One File Selection Dialog|outline

I think a more appropriate default would be to allow multifile selection.

 

9/3/2009 9:06:52 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Simple folder gallery security problem and more

Hi Finnur,

No config is needed. If you have Flash installed multi file select does work otherwise it degrades gracefully. Have you tried actually ctrl clicking when the dialog is open? It works fine for me. Maybe you are expecting the dialog to look different, it does not.

I'm not able to produce the security issues you mention. If you can produce the sae problem on demo.mojoportal.com I wil investigate it as bug.

Hope it helps,

Joe

9/3/2009 9:47:31 AM
Finnur
Gravatar
Total Posts 34
View Posts

Re: Simple folder gallery multi file selection problem

This is strange. On further checking I CAN select multiple files on Brettle's demo page (by pressing Ctrl and clicking each file), see here: http://www.brettle.com/Demo.aspx

but on the mojoPortal demo page I can not -see my test page with the cat: http://demo.mojoportal.com/1111new-page.aspx

For this test I used IE8 with Flash v10.

9/4/2009 6:20:39 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Simple folder gallery security problem and more

Hi Finnur,

I figured out the problem. It was a packaging error. I use UnLeashIt to package the files and I did not have a file mask for .swf so it did not package the SWFUpload.swf file. As soon as I copied that file up to the /NeatUpload folder on the demo site it now works for multi selection. I will correct this for the next release, in the meantime you can get that swf and add it to your /NeatUpload folder.

Best,

Joe

9/4/2009 11:29:59 AM
Finnur
Gravatar
Total Posts 34
View Posts

Re: partial solution to the security problem

Thanks for this, I think this is an important feature for the usability of the image gallery.

On the other isssue regarding image files getting permission attributes preventing the picture to be displayed I have made some progress. It seems like the new NeatUpload version that supports multi file upload uses temporary files differently from the earlier version.

On my Vista workstation I got exactly the same problem that pictures would not display after upload in MP 2.3.1.6 but in MP 2.3.1.0 the pictures appeared without problems. Then I saw a note on Brettle's site that NeatUpload uses a temporary folder to accept the upload files initially. When I gave the Network Service account full control of my C:\windows\temp directory, the problem disappeared in MP 2.3.1.6

On Brettle's site there is a a mention of a web.config setting that can specify this temp folder but his link on how to do that was broken. I assume that mojoPortal uses the default setting of asking Windows. Still I would like to know the option so I don't need to give the Network Service account access outside the web site folders.

9/4/2009 11:36:52 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Simple folder gallery security problem and more

Hi Finnur,

By default it tries to use the App_Data folder for temp files as described here. If that fails it tries the system temp folder. So I think the solution is make sure your App_Data folder is writable.

Hope it helps,

Joe

9/6/2009 8:42:06 PM
Finnur
Gravatar
Total Posts 34
View Posts

Re: Simple folder gallery security problem and more

Yes, giving the Network Service account access to the App_Data folder fixed the problem

Also copying the .swf file fixed the multifile selection problem.

best regards -Finnur

You must sign in to post in the forums. This thread is closed to new posts.