Anyone can see my Password.xml file without being authenticated!

[christheprogrammer]

Hey everyone I just tried typing in the address to my passwords.xml file in the browser, and even though I implemented Forms Authentication, anyone can view it (they are not automatically redirected to the login screen). Do I need to create another directory with only the passwords.xml file in it? If so, do I need another web.config file to deny all users?

Cheers Life is like a box of chocolates, sweet

 

[christheprogrammer]

SOLUTION:

change the extension of any file you don't want viewed to .aspx !!!

Pretty simple, eh? Life is like a box of chocolates, sweet

 

[link9]

If you go to the <httpHandlers> section of your machine.config file, you will see the list of file types that are not served directly to a user. Mine were closer to the bottom of the node (.vb, .config, etc...) with the type of &quot;System.Web.HttpForbiddenHandler&quot;.

Adding another element to this list (.xml for example) is supposed to not allow that type of file to be served directly to a user... authenticated or not authenticated.

Just FYI, since I realize that this isn't what you'd be after in this case. Just made me remember it when reading your post. Also, I played briefly with this, but did not get it to work, but it was said at the conference I attended that this does work, which of course doesn't make it gospel, but considering all the other files there, probably will work.

My guess is that maybe you also have to add it to the web.config file or something?

Anyway... hope that'll be useful to you.


paul

 

[christheprogrammer]

Hi Paul, thanks for the insight. I love learning new things, but I must say that this is a nightmare!
I figured out how the HttpHandlers work, but the problem is that you must map XML files to the aspnet_isapi.dll library (in IIS) for ASP.NET to see them on a web request. Unfortunately, I am using xml files to do bookkeeping, and when they are handled by ASP.NET, something goes wrong. I kept getting a scanner error on my treeview control binding (it is bound to an XML file). The error is: Expected token 'WHITESPACE' not found.

The way I originally did it works great, but has a downside: Someone looking at the application will not realize that the ASPX file is actually an XML file... I'm sure it will ruin someone's day eventually.

I guess I will have to keep my original solution for now. Thanks, though. I learned something new and that's worth alot!

Cheers Life is like a box of chocolates, sweet

 

[mgriffith]

in your web.config, put in this line

<configuration>

<location path=&quot;password.xml&quot;>
<system.web>
<authorization>
<deny users=&quot;*&quot;/>
</authorization>
</system.web>
</location>

</configuration>

i think that should work (remember, it's outside of the <system.web> nodeset)
mike griffith
----------------------------
mgriffith@lauren.com
mdg12@po.cwru.edu

 

[christheprogrammer]

Thanks for the post Mike,

Unfortunately that doesn't work. The xml file is viewable by anyone if they type in the url. Darn. I can feel that we're getting closer to the answer though. Cheers! Life is like a box of chocolates, sweet

 

[mgriffith]

wait...can't you set the file permissions to deny read for the iis account (not aspnet, the main iusr or whatever it is)?

or wait...is there a reason that you're storing it in the same folder as the website...if you stick it in it's own directory like c:\webs\web1\passwords.xml, and load it from there, it would be impossible to view without some sort of exploit...you don't want to let anyone view it, right?

hope maybe this is a feasible solution, i'm going to dig into the original solution and hopefully have something workable.

mike griffith
----------------------------
mgriffith@lauren.com
mdg12@po.cwru.edu