Vulnerability in EPiServer.Forms
So, images are redirecting to /Util/login.aspx when using ImageResizer + EPiServerBlobReader + DiskCache + Network share.
For example http://example.com/globalassets/global/images/someimage.jpg?width=90&height=110&mode=crop redirects to http://example.com/Util/login.aspx?ReturnUrl=%2fglobalassets%2fglobal%2fimages%2fsomeimage.jpg%3fwidth%3d90%26height%3d110%26mode%3dcrop&width=90&height=110&mode=crop
If we log in to EPiServer CMS then the image load correctly. Also, if we log in to another part of the website (a custom login form) instead of the CMS, the image also load correctly. Obviously we cannot ask all the visitors the log-in to see the images :-)
We have an EPiServer CMS 7.5 website (version 8.6.0). This website has MANY images. This website is also load-balanced 4x. Naturally we do not want to store each image 4 times. So we have a separate file-server for the images. We have configured the 'fileShare' blob-provider.
In order to get this to work we have:
And voila, it works. We can now access the image directly (without it going through ImageResizer):
So far so good. However, all these images need resizing using ImageResizer. Naturally we want to use caching (DiskCache plugin). And of course we want to cache these images on the file-server instead of on each web-server. We have created another share on the file-server with the same permissions as the blobs share, but now for ImageResizer's disk-cache.
First we tried to directly specify this path directly in the diskcache plugin's configuration like so:
This does not work. ImageResizer will simply create subfolders in the root of the website. So we have configured IIS with a Virtual Directory pointing to this share on the file-server and updated the configuration to use this Virtual Directory, like so:
And it will do the redirect to /util/login.aspx as mentioned above. When looking at Sysinternal’s Process Monitor we can see the w3wp.exe process has access to the files from the network share and reads them correctly. However, when we are not logged in we see an extra event:
(url to image: https://cdn.pbrd.co/images/18qvtqiD.jpg)
For some reason the path is in UPPERCASE and the path is being accessed via IUSR (impersonation).
I replaced the nuget package with the plugin’s code (https://github.com/valdisiljuconoks/ImageResizer.Plugins.EPiServerBlobReader/). When debugging it goes through the EPiServerBlobReaderPlugin.GetFile function and returns the blob for image-resizer to use. However, directly after that the util/login.aspx file (and all it’s resources, css etc) also go through the same GetFile function. This is probably because somewhere the access is denied and the image request gets redirected to the episerver login page.
When specifying a local cache folder, the images do load (and we do not get the redirect).
Any help would be very much appreciated.
Grant read access rights to IUSR on the ImageResizer folder (file access rights)
Thank you for your reply. It turns out that we had to edit the Anonymous Authentication Credentials and set it to Application pool identity.
It was set to IUSR.
Thank you Josef for this solution.
I am wondering though if changing the Anonymous Authentication Credentials affects security? Of course we make sure that the user we run our site under has minimal access rights... Any thoughts?