Security issues were recently identified involving the encryption password used for file streaming in the DataFlex 17.1 and 18.0 Web Application Framework. To address the issues, changes have been made to both product revisions to provide developers with much more secure encryption and application environments. This post describes the issues and the changes so you can update and enhance the security of your DataFlex web applications.

The new builds are: DataFlex 17.1.38.3 and DataFlex 18.0.20.15. Essentially the same set of internal changes has been applied to both product revisions. Even though the changes impact only the Studio and Server we have created the full set of installations (Studio, Server and Client) to replace the existing 17.1 and 18.0 releases.

You can download the new product revisions at these locations:

DataFlex 18.0
: ftp://ftp.dataaccess.com/pub/product...flex/Software/
DataFlex 17.1: ftp://ftp.dataaccess.com/pub/products/vdf/Software/

We strongly advise you to read this entire document and to follow the recommendations below under the heading “What You Should Do Now”.

The Security Issues

The web resource manager object (cWebResourceManager) is used to allow developers to upload and download server files. Because this requires access to server directories that do not have direct web-shares, a series of passwords and encryption strategies are used to secure file uploads and downloads. While we documented that each application should set a unique encryption password (psEncryptPassword), it was too easy for a developer to just leave the default password in place. This could allow a hacker with intimate knowledge of the DataFlex Web Framework to use a known password to reverse engineer encrypted information and access files from the server.

We have resolved these issues by:


  1. Making sure that each Web Application has a unique encryption password.
  2. Limiting the directories that can be used for uploads and downloads and giving you the ability to control those locations or even turn those capabilities off completely. This essentially sandboxes any risks even with the new security enhancements.
  3. Strengthening the encryption method used.


These changes were made primarily in the cWebResourceManager and for the most part will be transparent to your application. The main change that you must make to improve security is to set the psEncryptPassword property in your existing application’s cWebApp object. You may have already taken this step when we published the first notice in November. Note that if you create a new web application using the new versions of the Studio, a unique 40 character password will be created for you. If you do not set a psEncryptPassword, the new default value from the class is now “”. This is now an invalid password and will generate an error at runtime and disallow access.

File uploads and downloads are now limited to “registered” (i.e., developer specified) directories and their sub-directories. The framework automatically registers a default download and upload directory based on properties and in most cases these default directories will suffice. You can register additional folders as needed. By default files are downloaded from <workspace>\Reports\Cache and uploaded to <workspace>\Data\Uploads. This can be customized with the following interfaces:

cWebResourceManager

RegisterDownloadFolder- This procedure is used to register a local file path as an accessible download folder. This means that download URL’s can be generated to files inside this folder using the DownloadUrl and CustomDownloadUrl functions. Download URL’s pointing to files that are not inside a registered folder will result in an error. This is an extra layer of security that sandboxes the download URL’s. Note: The download folder needs to be registered on every process so this should be done when starting a process. For example inside the End_Construct_Object or directly inside an object.

Params: String sPath (the absolute path to a local folder)

RegisterUploadFolder
- This procedure is used to register a local file path as an accessible upload folder. This means that files can be uploaded to this folder using the cWebUploadButton and cWebUploadForm controls. Note: The upload folder needs to be registered on every process so this should be done when starting a process. For example inside the End_Construct_Object or directly inside an object.

Params: String sPath (the absolute path to a local folder)

pbRegisterReportsCacheFolder - This property controls the default cache folder being registered as a download folder. The reports cache folder is determined using the GetReportsCache function in the cWebApp object. This property defaults to true so that the report cache folder is registered.

pbRegisterUploadsFolder
- This property controls the default upload folder being a registered upload folder. The default upload folder is determined using the UploadFolder function in the cWebApp object. This property defaults to true so that the uploads folder is registered.

pbAllowNonSessionDownloads
- This property allows (or disallows) non session bound file downloads. Download URL’s are usually bound to a specific session unless they are generated with the pbDownloadBindSession property set to false or using the CustomDownloadUrl function. This property defaults to false to increase the default security of the system.

cWebApp

GetReportsCache - This function determines the path to the default report cache folder. This folder is usually used to contain application generated reports (like PDF’s) that will be streamed to the client. By default the folder is located inside the workspace under "<home>\Reports\Cache". This folder is automatically created at runtime if bCreate is passed as true. The resource manager (cWebResourceManager) registers this folder by default as being a download folder.

Params: Boolean bCreate (if passed as true the folder will be created)
Returns: String containing the absolute path to the reports cache folder.

UploadFolder - This function determines the path to the application’s default upload folder. This folder is usually used to temporarily store files that are uploaded from the client. By default the folder is located inside the data folder with the name Uploads ("<home>\Data\Uploads"). The resource manager (cWebResourceManager) registers this folder by default as being an upload folder.

Params: Boolean bCreate (if passed as true the folder will be created)
Returns: String containing the absolute path to the upload cache folder.

If any changes are required in your application, they will most likely be to register additional upload and download folders. Additional folders are registered by calling RegisterDownloadFolder and RegisterUploadFolder. If you attempt to download or upload files from a non-registered folder you will now get a runtime error.

The Studio

We changed DataFlex Studio so that the creation of a new WebApp project automatically generates a new 40 character value for psEncryptPassword and sets it in the project’s WebApp.src. This ensures that each new WebApp will have a unique password. You may change this password at any time. The Studio will not change existing web applications’ passwords – you must change them yourself.

The WebOrder Example


The only code change actually required in our WebOrder example was to create a unique encryption password. All of the other changes in upload/download folders and encryption changes required no code changes to the sample. Creating an encryption password was a special case because the exact same sample will be installed in many places. We had to deal with the issue that psEncryptPassword should be different for each installation. We solved this by adding special code to the sample that generates a unique password upon first use. This is a specialized technique that was only needed because this is a sample. This should not be something you will have to worry about in your code – where you can simply set a password in code.

We also modified the file upload example (DemoFileUpload.wo) to use the new standardized UploadFolder function.

The Server Installation


The Server installation still installs the WebOrder example, but now sets it to Disabled by default. This allows developers and Data Access Support personnel to easily use WebOrder as a diagnostic tool but keeps it out of the way until and unless it is needed.


This combination of security improvements provides better underlying encryption while allowing you to exert much better control over which file streaming functions are allowed in your application and their scope of use.

What You Should Do Now

We strongly recommend that you download and install the new releases appropriate to your applications now. Note that the new releases are not updates; you must first uninstall the existing 17.1 and/or 18.0 builds and then reinstall the newer builds. Please follow these specific steps defined for DataFlex 18.0 (the same steps apply to 17.1 as well):

  1. Stop the Web Application Server using the Administrator
  2. Exit any other running DataFlex 18.0 programs (especially the Studio)
  3. Uninstall the DataFlex 18.0.20.10 build (or 18.0.20.11 if you had installed an earlier update)
  4. Either reboot the machine or use the Management Console to restart IIS
  5. Make sure that nothing is left behind in the root folder (default is C:\Program Files\DataFlex 18.0) or the Examples folder (C:\DataFlex 18.0 Examples)
  6. Install DataFlex 18.0.20.15
  7. Open each existing web application in the Studio and it will automatically update to the latest JavaScript engine.
  8. Determine which of the new properties or capabilities are appropriate for your application requirements and set them appropriately. If you do not make any code changes your application will run as designed as long as any upload or download functionality expects to use the default locations for those operations. If your application expects to use additional or alternate locations for file uploads or downloads you must make changes to allow those operations.


If you have any questions about this notice, please contact us directly at support@dataaccess.com and we will answer your questions.

Data Access Worldwide