Guy Willett Posted May 17, 2011 Share Posted May 17, 2011 Hello, I have just bought the standard license for SuperContainer. I have installed it on my remote filemaker server (clicked the installer.jar) and registered it....so far so good. What I find a bit alarming is that I can go to http://myserver.com/SuperContainer/Files/my/custom/file/path in a browser (not via FM) and upload, download, delete anything and everything, no authentication required! I can create and delete directories/files in SuperContainer this way - as could anyone else from a browser by merely knowing the above URL. I understand the idea of using SSL and long random directory names so jo public can't access particular files. But this is different. If I used an img source in a public website pointing to a supercontainer file, then anyone could view that url using the browser's "view source". They could then paste it into the browser and delete the image and upload a malicious script...or anything else into supercontainer. is there any way to stop someone from creating /SuperContainer/Files/someothername if they feel like it... ie only writable if you are an FM user, for example. I hope I am missing something here! Many thanks for any input... Guy Link to comment Share on other sites More sharing options...
Smef Posted May 17, 2011 Share Posted May 17, 2011 I would recommend setting a username and password for your server if security is an issue, which you can configure through the GUI interface if you are running in stand-alone mode, or through the web.xml file located at FileMaker Server/Web Publishing/publishing-engine/cwpe-tomcat/bin/SuperContainer/WEB-INF/web.xml if you have installed with filemaker server using installer.jar. Link to comment Share on other sites More sharing options...
Guy Willett Posted May 19, 2011 Author Share Posted May 19, 2011 Many Thanks! Not sure how I missed this.... Cheers Guy Link to comment Share on other sites More sharing options...
Ocean West Posted May 19, 2011 Share Posted May 19, 2011 if you don't have a password turned on you could obfuscate the directory path by making the path to the file a segment of a UUID... so if the UUID on the record is C42C0313AE37-C43FDAFC-322A-1A4D-4075 you could do a substitute and swap out "-" for a "/" and then append a serial number for the record the path would be www.domain.com/SuperContainer/Files/C42C0313AE37/C43FDAFC/322A/1A4D/4075/9999 Link to comment Share on other sites More sharing options...
jrie818 Posted October 10, 2011 Share Posted October 10, 2011 if you don't have a password turned on you could obfuscate the directory path by making the path to the file a segment of a UUID... so if the UUID on the record is C42C0313AE37-C43FDAFC-322A-1A4D-4075 you could do a substitute and swap out "-" for a "/" and then append a serial number for the record the path would be www.domain.com/SuperContainer/Files/C42C0313AE37/C43FDAFC/322A/1A4D/4075/9999 What about the softwares that "claim" they can download an entire website to the users local hard drive? Since all the SuperContainer files are saved in a public address, can this be possible? Link to comment Share on other sites More sharing options...
Smef Posted November 3, 2011 Share Posted November 3, 2011 I believe that this sort of software works by following and saving all of the links on a website, which would not work for SuperContainer. I also believe that you tested this in another thread and found that this did not work on SuperContainer since SuperContainer doesn't have links to its documents and isn't crawlable like a regular webpage. Link to comment Share on other sites More sharing options...
jrie818 Posted November 7, 2011 Share Posted November 7, 2011 I believe that this sort of software works by following and saving all of the links on a website, which would not work for SuperContainer. I also believe that you tested this in another thread and found that this did not work on SuperContainer since SuperContainer doesn't have links to its documents and isn't crawlable like a regular webpage. Yes, I was thinking about that. Thanks for confirming. Link to comment Share on other sites More sharing options...
Newbies vrobinson Posted May 20, 2013 Newbies Share Posted May 20, 2013 I can confirm what Smef said about crawlability, too. I had to deal with something like this and took a somewhat more complicated, but I think even further secure approach (you can tell me if think it is). Details at http://fmforums.com/forum/topic/78348-hiding-passuser-on-website/ Link to comment Share on other sites More sharing options...
Recommended Posts
This topic is 4006 days old. Please don't post here. Open a new topic instead.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now