In one of my older posts, I explained the process of uploading images or files to Sitecore Media Library via Upload Watcher. But there are some security concerns about using this method.
Link to the post for Upload Images or Files to Sitecore Media Library via Upload Watcher.
If you allow the users to upload content to the upload folder and then to Sitecore using Upload Watcher then it's alarming as you are also giving them the permissions to place scripts and executable programs in the folder. Executing these scripts and programs may cause unexpected behavior on the Sitecore environment or server.
To avoid these circumstances you can deny permissions to run scripts and executable files of the upload folder and hence preventing an uploaded file from being executed on the server side when a user attempts to download it.
To deny both Script and Execution files permissions for the upload folder. Follow the below steps -
1. Open Internet Information Services (IIS).
2. Navigate to your Sitecore instance in IIS, click the upload folder, and then under the IIS section, double-click Handler Mappings.
3. In the Actions pane, click Edit Feature Permissions.
4. In the Edit Feature Permissions dialog box, uncheck the Script and Execute checkboxes and click OK.
If you want to ensure that the only way to upload files or images to Sitecore Instance is only from the Media Library then you should disable the Upload Watcher.
This means that you can only upload files from the Sitecore client and have control over the files that are uploaded.
When you disable the Upload Watcher, files that are placed in the upload folder will not get automatically uploaded to the Sitecore Media Library.
To disable the Upload Watcher:
Open the web.config file and remove the following string from the <system.webServer><modules> section:
<add type="Sitecore.Resources.Media.UploadWatcher,Sitecore.Kernel" name="SitecoreUploadWatcher"/>
References
Secure the file upload functionality - https://doc.sitecore.com/xp/en/developers/90/platform-administration-and-architecture/secure-the-file-upload-functionality.html
Disable Sitecore Upload Watcher - https://www.cmsbestpractices.com/best-practice/disable-sitecore-upload-watcher
Great post for security in sitecore.
ReplyDeleteThank you.....
Delete