Insecure file upload issue -- Urgent!!
Steps to reproduce:
1) Create a txt file named "test.txt" with the following content:
and save it locally.
2) Login into web client.
3) Upload this file in any of the existing HPSM ticket (IM, CM, etc.) under the Attachments tab.
4) Once uploaded, click on the "test.txt" link under the Attachments tab. An alert window pops up in the web browser.
This could lead to a security threat and should be avoided.
How to avoid uploading such kind of attachments? Any fixes or workarounds for this?
The files uploaded with ".txt" extension gets opened up directly in the browser after clicking on the link, and that's why the contents inside the file are getting executed. If we can somehow prompt for Open/Save the file, like it happens for .doc and .xls attachments, then it should be ok?
Any help please.
I tried the same but it is not executing and it just displaying the whole text in browser window.
Assign Kudo, if found post useful and mark it accepted if solves the issue.
That's what I want, that the web client should not execute the contents of a text file, instead it should either display the contents or proppmt for Open/Save. But it's not working at my end.
Would you check the MIME type of "text" files in web.xml? It's set to "text/plain" in my case.
Any other thoughts? Web client version is 7.11.333
I'm not sure I understand the problem here.
Isn't every file you attach able to be executed. If you attach a .zip file and select it, the system will download and open the .zip file, using whatever program is set as the user's default for handling that file extension. If you attach a .doc or .docx file, the system will open the file using Word. If you attach an image file (.jpg, .gif, .bmp) and double click on it, the system will display the image. If you attach an .exe, the system will run that .exe when the user selects it. Any file you upload can be run on the user's system.
In the case of any file extension that can be opened by their internet browser, the file the user selects will open in that browser. I don't think this is insecure, per se, since the user has to actively open that file for downloading.
The only way to solve this would be to not allow attachments - which I don't think is a reasonable possibility in most environments.
As Jacob stated, the user's environment (browser settings and file associations) determines whether the attachment is opened or prompted for save.