Infragistics Home

Infragistics Forums

Infragistics community online discussions.
Welcome to Infragistics Forums Sign in | FAQ
in Search
Infragistics Forums » NetAdvantage for ASP.NET » Commands and Editors » WebSpellChecker » WebSpellChecker security risk

WebSpellChecker security risk

Last post 07-28-2008 17:08 by [Infragistics] Tony Lombardo. 1 replies.
Page 1 of 1 (2 items)
Sort Posts: Previous Next

  • 07-15-2008 21:32

    • deta
    • Not Ranked
    • Joined on 07-16-2008
    • Points 30

    WebSpellChecker security risk

    Reply Contact

    I've just discovered what I consider to be a security risk with the WebSpellChecker control.  Our web app uses the WebSpellChecker control with the U.K version of the dictionary.  We therefore have to set the dictionary in code as follows:

    this.WebSpellChecker1.Dictionary = System.IO.Path.Combine( Request.PhysicalApplicationPath,"_dictionary\uk-english-v2-whole.dict");

    When viewing the source of the rendered page I was shocked to find that the Javascript ig_CreateWebSpellChecker function generated by the control contains the full physical path to the .dict file e.g. E:\MyWebApp\WebApp1\_dictionary\uk-english-v2-whole.dict

    This sucks.  Any potential hacker can simply navigate to one of the web pages that contains a spell checker control, examine the Javascript on the rendered page source, and hey presto they now know the physical path of the web app.

    Why does the full physical path of the .dict file need to be included in a client side function?

    M.Johnson

     
    • Post Points: 20

  • 07-28-2008 17:08 In reply to

    Re: WebSpellChecker security risk

    Reply Contact

    This is certainly something we'll want to take care of - I definitely understand why you wouldn't want to tell hackers anything about your site/server that they couldn't find out themselves!

    I believe the value is sent down with the ASPX page so that it can be sent back up to the server when the secondary webspellcheckerdialog window is displayed.  The problem is that the two pages are distinct and they need to be able to pass information between them.  The solution is to find a state medium, either through session or in this case through the client.  However, that's no reason to broadcast your physical environment, and there should be ways to correct this, even if it comes down to garbling the string. 

    It's best if you go directly through our support department with this incident so that a formal ticket can be created and we can give you a case number for reference.  The support options are listed at http://www.infragsitics.com/gethelp, or you can go directly to the online incident reporting page @ http://devcenter.infragistics.com/Protected/SubmitSupportIssue.Aspx

    Thanks again for taking the time to report this,

    -Tony

    Anthony Lombardo
    Lead Technical Evangelist
    Infragistics, Inc.
    Worldwide Evangelism Group

    tonyl@infragistics.com
    blogs.infragistics.com
    • Post Points: 5
Page 1 of 1 (2 items)
Copyright © Infragistics, Inc. 2004-2008
Powered by Community Server (Commercial Edition), by Telligent Systems