Security question

[Guy Willett]

Hello,

I have just bought the standard license for SuperContainer. I have installed it on my remote filemaker server (clicked the installer.jar) and registered it....so far so good.

What I find a bit alarming is that I can go to http://myserver.com/SuperContainer/Files/my/custom/file/path in a browser (not via FM) and upload, download, delete anything and everything, no authentication required! I can create and delete directories/files in SuperContainer this way - as could anyone else from a browser by merely knowing the above URL.

I understand the idea of using SSL and long random directory names so jo public can't access particular files. But this is different. If I used an img source in a public website pointing to a supercontainer file, then anyone could view that url using the browser's "view source". They could then paste it into the browser and delete the image and upload a malicious script...or anything else into supercontainer.

is there any way to stop someone from creating /SuperContainer/Files/someothername if they feel like it... ie only writable if you are an FM user, for example.

I hope I am missing something here!

Many thanks for any input...

Guy

[Smef]

I would recommend setting a username and password for your server if security is an issue, which you can configure through the GUI interface if you are running in stand-alone mode, or through the web.xml file located at FileMaker Server/Web Publishing/publishing-engine/cwpe-tomcat/bin/SuperContainer/WEB-INF/web.xml if you have installed with filemaker server using installer.jar.

[Guy Willett]

Many Thanks!

Not sure how I missed this....

Cheers

Guy

[Ocean West]

if you don't have a password turned on you could obfuscate the directory path by making the path to the file a segment of a UUID...

so if the UUID on the record is C42C0313AE37-C43FDAFC-322A-1A4D-4075 you could do a substitute and swap out "-" for a "/" and then append a serial number for the record the path would be

www.domain.com/SuperContainer/Files/C42C0313AE37/C43FDAFC/322A/1A4D/4075/9999

[jrie818]

if you don't have a password turned on you could obfuscate the directory path by making the path to the file a segment of a UUID...

so if the UUID on the record is C42C0313AE37-C43FDAFC-322A-1A4D-4075 you could do a substitute and swap out "-" for a "/" and then append a serial number for the record the path would be

www.domain.com/SuperContainer/Files/C42C0313AE37/C43FDAFC/322A/1A4D/4075/9999

What about the softwares that "claim" they can download an entire website to the users local hard drive?

Since all the SuperContainer files are saved in a public address, can this be possible?

[Smef]

I believe that this sort of software works by following and saving all of the links on a website, which would not work for SuperContainer. I also believe that you tested this in another thread and found that this did not work on SuperContainer since SuperContainer doesn't have links to its documents and isn't crawlable like a regular webpage.

[jrie818]

I believe that this sort of software works by following and saving all of the links on a website, which would not work for SuperContainer. I also believe that you tested this in another thread and found that this did not work on SuperContainer since SuperContainer doesn't have links to its documents and isn't crawlable like a regular webpage.

Yes, I was thinking about that. Thanks for confirming.

[vrobinson]

I can confirm what Smef said about crawlability, too. I had to deal with something like this and took a somewhat more complicated, but I think even further secure approach (you can tell me if think it is). Details at http://fmforums.com/forum/topic/78348-hiding-passuser-on-website/