Views: 4189
Number of votes: 3
Average rating:

Protect your plugins!

One of the things I love about EPiServer is how easy it is to extend. I’m sure that most of the EPiServer projects out there uses some kind of edit or admin plugin.

Attention2

What we see very often, is that these plugins are not under EPiServer authorization. In effect, If you know the url to the plugin .aspx, you can browse it directly anonymously!


So, how can we be sure that the plugins are secured?
Well, any of the solutions below should solve the problem.

Safest bet: Check access from code when aspx loads

protected override void OnInit(EventArgs e)
{
  base.OnInit(e);
  /// Making sure only administrators can reach this plugin
  if (!EPiServer.Security.PrincipalInfo.HasAdminAccess)
     AccessDenied();
}

This is a sample from an admin plugin. Your .aspx need to inherit from an EPiServer PageBase class (e.g. EPiServer.SimplePage) in order to use the AccessDenied method.

Using the location tag in web.config

<location path="EPiCode/ManageLanguages">
    <system.web>
      <authorization>
        <allow roles="WebAdmins, Administrators"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

This is the same way EPiServer secures it’s admin and edit mode. Remember to add this section in all environments – development, test and especially at the production server. You can also place your plugin the same place as the EPiServer UI, but this complicates module packaging (as the UI paths will differ from project to project).

There is also the option of adding a web.config file at the same level as the .aspx file(s). An example implementation can be found here:  web.config for the EPiCode.PageTypeUtil module.

Important: Using the ICustomPlugInLoader interface (see description here) will not secure your aspx.

Use 5 minutes today to verify that your plugins are secure - this also includes any module plugins downloaded from CodePlex, EPiCode or the Code section on world.episerver.com.

Nov 11, 2010

oyvind
(By oyvind, 11/11/2010 11:32:18 AM)

Great reminder and very important !

Magnus Rahl
(By Magnus Rahl, 11/11/2010 11:34:54 AM)

Very important - and often forgotten!

per.nergard
(By per.nergard, 11/11/2010 12:06:58 PM)

Aah always used the location element way. But doing it in code is so much nicer.

(By , 11/11/2010 12:52:11 PM)

Great post!
One way to solve the problem with putting the aspx/ascx in EPiServers UI-folder is to
have them embedded as resources and then register an appropriate VirtualPathProvider to deliver them from the edit/admin url.

tost
(By tost, 11/12/2010 2:20:14 AM)

Great post Mari, this is something that a lot of people forget.

Please login to comment.