FTP Attachments® Pro - SQL Injection Vulnerabilities.

Modified on Tue, 4 Feb, 2014 at 12:42 PM

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser.

 

The RequireSSL property value is set in the configuration file for an ASP.NET application by using the requireSSL attribute of the form configuration element. You can specify in the web.config file for your ASP.NET application whether SSL (Secure Sockets Layer) is required to returns the forms-authentication cookie to the server by setting the requireSSL attribute . 

 

In FTP Attachments® web.config, make RequireSSL and ForceSSLLogin attribute true (Refer Figure 1.1 and Figure 1.2). If user changes RequireSSL and ForceSSLLogin attribute as true, only if user is required to return the forms-authentication cookie to the server, the default value will be false. To perform the above changes user requires SSL Certificate.  

 

Along with the RequireSSL and ForceSSLLogin, please change the key value in appSettings tag which creates the log
(Refer Figure 1.1 and Figure 1.2). The default value of ShowDebugLog, ShowExceptiontoEndUser, ShowAPICallLog is true. To test FTP Attachments® application for SQL injection vulnerabilities user has to change the value to false(Refer Figure 1.1). Since while log writing the respecting method is been called and user will get SQL injection vulnerabilities issues. Hence to avoid that please make the respective values falseIn case of Standalone users this issue will not arise as the user will install the package on your own Application server and so the settings for logs will depend on the users requirement.




                                                          Figure 1.1 Modification in appSettings tag



                                                                         Figure 1.2 Modification in requireSSL



It is recommended that if you configure requireSSL as false, you also configure slidingExpiration as false, to reduce the amount of time for which a ticket is valid.

Note : true if SSL is required to return the forms-authentication cookie to the server, otherwise, false. The default is false.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article