Vulnerability in EPiServer.Forms
We have developed an application which copies an EPiServer content tree to another location in the tree. The application works fine in a development environment, and in a testing environment. However in the live environment, we get the following error message:
[Importing page 1315_1597] Can't copy page, because: You are not authorized to create directories under /PageFiles/
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: EPiServer.Core.EPiServerException: [Importing page 1315_1597] Can't copy page, because: You are not authorized to create directories under /PageFiles/ Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
[EPiServerException: [Importing page 1315_1597] Can't copy page, because: You are not authorized to create directories under /PageFiles/]
EPiServer.LocalPageProvider.Copy(PageReference pageLink, PageReference destinationLink, Boolean publishOnDestination, Boolean allowThreading) +482
EPiServer.DataFactory.Copy(PageReference pageLink, PageReference destinationLink, AccessLevel requiredSourceAccess, AccessLevel requiredDestinationAccess, Boolean publishOnDestination, Boolean allowThreading) +320
The line on which we get the exception is:
PageReference CopiedPage = DataFactory.Instance.Copy(SourcePage, new PageReference(Properties.Settings.Default.ClubHomePage), AccessLevel.NoAccess, AccessLevel.NoAccess, true, false);
We believed it had something to do with the folder-permissions of the pagefile folder in our VPP folder, but we have tried almost every security setting there with no results. Now we have even given 'Everyone' full access on our VPP folder, but still no success.
After crashing, when we open the copied page in Edit mode in the CMS backend, we get the same error. However when we go to the file explorer and create a pagefile folder for this page, the page works fine.
Can the problem be anything else but the folder permissions in the VPP folder? Any help would be greatly appreciated.
Have you tried settings bypassAccessCheck to false for the pagesfiles-vpp?
Yes, setting bypassAccessCheck for pagefiles to True works! Thanks!
However, we are a bit hesitant to bypass access checks on a production server. What are the securty risks when bypassing the Access Checks? The access check do not seem to check the folder permissions (since we set the rights to full control and it still didn't work). Do they check internal access rights for the EPiServer user?
I'm not totally sure about this but.. If set bypassAccessCheck to true to page files, the visitor, if they know the path to a certain file withing a page file-folder, can access those files to pages that are not published or pages that they do not have access to.
Since you are using a NoAccess way to copy the page I guess another solution would be to impersonate a user with the right access to create folder in page files. I wrote a blog post about that a while ago: http://antecknat.se/blog/2009/03/04/scheduled-tasks-tips/