How to hide CuteWebUI.AjaxUploader temporary directory information

Question

I am using cute web ui ajax uploader and recent security review shows the this control exposing the error message when the VFN param inrequest is tweaked or when trying to upload a malformed file with name say a file name "virus's''.docx"

I have set the HideDirectoryproperty true in webconfig with no luck (under appsettings)

The documentation states setting the above property should hide the file directory from displaying on errormessages http://ajaxuploader.com/document/index.htm?page=html/webconfig-appsettings.htm

Note: This is a web application in ASP.net 4.0 with CuteWebUI.AjaxUploader.dll 3.0version

Any pointers would be highly appreciated.

score 1 · Accepted Answer · answered Oct 17 '17 at 02:48

The issue turned out be bad documentation from CuteWebUI team The documentation mentions about setting HideDirectory property in app settings true and the example shows

"<add key="CuteWebUI.AjaxUploader.HideDirectory" value="true" />"

The real issue is the property value is case sensitive(counter intuitive enough). If the following property is set under AppSettings Section in webconfig the directory path in the errors can be masked fixing the security flaw.

<add key="CuteWebUI.AjaxUploader.HideDirectory" value="True" />

OMG, you made my day! I had the same issue and I would never have thought of it. This control is really bad. No one should still be using it in 2018! — Gyum Fox, Jul 09 '18 at 12:22

How to hide CuteWebUI.AjaxUploader temporary directory information

1 Answers1