Vulnerability in EPiServer.Forms
We've an with assets that are either not published or have been moved to trash returning 401s rather than 403s or 404s if an end user tries to access them. This is a problem especially where assets have been moved to trash when they are referenced from html editor field, because when the asset is deleted is doesn't moan about being referenced.
So the result of this that our customer users are frequently presented with a login prompt which they're saying is a bug but I'm pretty sure EPiServer support would not agree!
Is there a workaround for this? I've tried using an http module to capture the HttpApplication EndRequest (which is the earliest that the status is available) but this throws an exception on embedded content because headers are already sent.
Hmm, maybe I need to raise a feature request to allow me to edit and fix all those typos!
I tested this on Alloy site, with latest episerver version and it returned me 404 for the images in trash (i remeber this was an issue in older version), can you please confirm which version are you on. an upgrade canfix that.
401 you will still get if User is not authorized. Check are those assets have visible right for everyone.
Thanks for the info. K. We are on 7.19.2 but unfortunately we can't upgrade so I guess we'll have to live with this issue for now.
(we use on premise Find in a secure closed environment which is not upgradable yet and EPiServer 8.* has a dependency on later versions of Find).
I'll test this in an alloy site too though.