Welcome Guest! You need to login or register to make posts.

Notification

Icon
Error

Options
Go to last post Go to first unread
eynugget  
#1 Posted : Saturday, June 21, 2008 2:42:14 AM(UTC)
eynugget

Rank: Newbie

Groups: Member
Joined: 6/6/2008(UTC)
Posts: 1

I've been evaluating Image Uploader, which seems to be a fine product.

I've noticed that in the provided examples, all configuration for the control/applet are given in javascript, which leaves it quite insecure. If I have set file upload limitations on size or number of files or hidden certain buttons from view, a semi clever hacker could easily get around the restrictions, having clear text view of the configuration information. This means that I would have to spend additional time developing safeguards on the backup to cover for this.

Is there any way to hide the configuration information?

For example, I have developed some commercial ActiveX controls for a few companies and a simple way to hide configuration data is to store it on the server side and put a simple encryption it. The configuration file always overrides the clear text settings on the client side. This and a few other simple security measures makes the activex control very secure. The same simple measures works for java applets too.

Thanks.
Eugene Kosmin  
#2 Posted : Sunday, June 22, 2008 12:26:57 PM(UTC)
Eugene Kosmin

Rank: Advanced Member

Groups: Member, Administration, Moderator
Joined: 9/19/2006(UTC)
Posts: 439

Was thanked: 22 time(s) in 22 post(s)
Hello,

Quote:
Is there any way to hide the configuration information?


Most likely, it does not make sense.

Anyway, your server should not relay just on Image Uploader while validating upload data. Semi clever hacker can send POST data to your upload script without Image Uploader at all, just using PERL script, for example. So, hardcoded configuration is not completely solution in this case. Besides, Image Uploader does not have any methods for adding data for uploading without end user interaction.

Since the immediate past, we watch closely to IU ActiveX security and do additional security testing before releasing new versions.

But if you really need a version with hardcoded configuration, please submit case in our support ticket system.
Best regards,
Eugene Kosmin.
Aurigma Development Team
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.