13

In my Website, Users who has logged in are able to change their profile pictures, and this process includes saving the uploaded image to a folder in the website's root directory.

When I tested it, I received an Error that I should grant access to this specific folder using permissions.

I do not have control over the Control Panel, the one who does said that he did grant the Images folder a READ and WRITE permissions to Others.

After Testing it again, once again the same error, so I edited web.config and included:

<identity impersonate="true"/>

And now everything seems to work perfectly. BUT, what did I just do here? Is there any security risk? Did I grant anonymous access to my website for everyone?

Ali Bassam
  • 9,691
  • 23
  • 67
  • 117

2 Answers2

12

BUT, what did I just do here?

You are now running your website under the identity of the client user.

Is there any security risk?

That would depend on the permissions that this account has on the server. Usually it is bad practice to run a website with accounts that have lots of privileges. Ideally you should configure your website to run under an account that you explicitly grant privileges to the required folders.

The problem with your approach is that if another user that doesn't have access to the specified folder visits your website, it won't work for him. If on the other hand this is expected behavior then you are probably fine by impersonating user identities.

Did I grant anonymous access to my website for everyone?

No, this has nothing to do with authentication.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • Since I don't have access to the Control Panel I am forced to test privileges by myself because contacting that guy is a pain. Anyway, I tried to access Folders, and it was forbidden (under impersonate=true), what else can I test to make sure that everything is secure? (I don't even know if this is right :( ) – Ali Bassam Jul 29 '13 at 12:36
  • As I already explained in my answer you should probably not be using impersonation. – Darin Dimitrov Jul 29 '13 at 12:38
3

What you have done is given user rights to work under logged in user.

And there is a security risk for making impersonate true.

If you are on production, I would recommend you to read this article http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

"Using impersonation in the web.config allows you to override whatever identity was configured for the Application Pool the app is running under - it's just a more fine grained method to control identity ( on the app level vs. the ApplicationPool level), so you could have two apps run on the same AppPool, but one of them uses impersonation to use another identity." courtesy: App pool identity versus impersonation identity?

Community
  • 1
  • 1
Nipun Ambastha
  • 2,553
  • 1
  • 16
  • 26