Jump to content
CLOSING SOON! DfE Technology in Schools Survey for 2025 (England Only) - Closes 23rd of May!

SECURITY ALERT!!! Adobe CS3 - Home Folder Share Browsing

Gatt

By Gatt
in Windows

 Share

Recommended Posts

Gatt

Gatt

Posted
Posted

Argh!!

 

Just found a glaringly big security hole in Adobe CS3..

 

Open Dreamweaver (or flash., etc) and then file - open..

 

Using the "Up" icon you can go all the way up the share tree

 

Eg: Pupil1 is mapped to H: drive using \\server\pupils\year xx\pupil1

 

Using the "Up" icon in the Open dialog you can go all the way up to \\server\

 

But wait theres more..

 

Pupil can then go back down the tree into \\server\pupils\year yy\pupil3 and delete files & folders

 

Looks like same problem as Office 2003 had..

 

Cant find any mention from a quick google, so wondering if anyone here has come across this and/or a solution

elsiegee40

elsiegee40

Posted
Posted
Argh!!

 

Pupil can then go back down the tree into \\server\pupils\year yy\pupil3 and delete files & folders

 

 

Surely this should be prevented by permissions?

 

A pupil here has read permissions on the folder containing all the home drives, but these are not inherited and so the pupil can go no further as they have modify on their home folder, but no more.

DMcCoy

DMcCoy

Posted
Posted
Argh!!

 

Just found a glaringly big security hole in Adobe CS3..

 

Open Dreamweaver (or flash., etc) and then file - open..

 

Using the "Up" icon you can go all the way up the share tree

 

Eg: Pupil1 is mapped to H: drive using \\server\pupils\year xx\pupil1

 

Using the "Up" icon in the Open dialog you can go all the way up to \\server\

 

But wait theres more..

 

Pupil can then go back down the tree into \\server\pupils\year yy\pupil3 and delete files & folders

 

Looks like same problem as Office 2003 had..

 

Cant find any mention from a quick google, so wondering if anyone here has come across this and/or a solution

 

Then the permissions are wrong. I'd suggest you install and enable access based enumeration but that's not going to do anything while the students have permissions over another students folder.

 

Students will only need read/traverse for "This folder only" for those folders between the share root and their folder. Then they only need permissions on their own folder.

 

It's not a security issue in CS3 or any other app. Correct permissions and access based enumeration turned on will mean the server doesn't even show the other users folders.

AngryTechnician

AngryTechnician

Posted
Posted

I assume you have My Documents redirection to point to their H: drive. Does the policy actually redirect to the drive letter H:, or to the equivalent UNC path that the H: drive also happens to be mapped to?

 

I also assume there is a reason you haven't simply applied security permissions on the folder hierarchy so they can't browse to it?

Gatt

Gatt

Posted
  • Author
Posted

Have checked permissions - All folders only have read & execute, list & read set (inherited) and Individual Pupils only have FC access to their OWN folder

 

My GPO also denies them the rights to browse the network manually (typing the path into explorer brings back a disallowed error)

 

Still looking...

FN-GM

FN-GM

Posted
Posted
Have checked permissions - All folders only have read & execute, list & read set (inherited) and Individual Pupils only have FC access to their OWN folder

 

My GPO also denies them the rights to browse the network manually (typing the path into explorer brings back a disallowed error)

 

Still looking...

 

Seems ok here.... We have also hidden all our shares so they cant do anything when they get to server level.

DMcCoy

DMcCoy

Posted
Posted
Have checked permissions - All folders only have read & execute, list & read set (inherited) and Individual Pupils only have FC access to their OWN folder

 

My GPO also denies them the rights to browse the network manually (typing the path into explorer brings back a disallowed error)

 

Still looking...

 

The gpo settings only affect explorer and applications that use it, anything using it's own file menus will be unrestricted. It's more for convenience than security.

 

What do the permissions show for the user that can get into the other folders? Is the file actually deleted or just say it's deleted and the comes back after a refresh?

 

You can use the effective permission tab under security to see what a user will get on that folder.

apeo

apeo

Posted
Posted
No problems here, students have access to any other folder then their own. Looks like you have a permissions related problem.
  • 2 months later...
MrLudwig

MrLudwig

Posted
Posted

I've had this as well. Here it did it under both Office 2007 and FreeMind.

 

After some poking around in the NTFS permissions I removed the NETWORK account from the student folder permissions which solved it.

 

I don't understand why these apps are using the NETWORK account, and it may be there is a good reason, but from my limited understanding, I'm not aware of any.

  • Thanks 1
Zimmer

Zimmer

Posted
Posted

Indeed I agree with DMcCoy...

 

Installing Access Based Enumeration on the file servers is a very good idea - We use it on ALL of our servers for that little extra bit of security from snooping students.

 

Personally though I would look at sitting down and spending a while checking all your NT security permissions and share permissions.

 

Also, $ all your shares if you don't already do so.

Tamarside

Tamarside

Posted
Posted (edited)

Pupil can then go back down the tree into \\server\pupils\year yy\pupil3 and delete files & folders

 

As others had said, your security permissions are clearly not tight enough.

 

Assuming you use the following example groups, further down is what I suggest permissions should be like:

StaffLocal - staff members

StaffStudWriteLocal - used for staff members that need write permissions to student home folders

StudentLocal - student accounts

StudentYearXLocal - relevant year group for student accounts

 

RootOfShare$-| > Perms: StaffLocal = Read, StaffStudWriteLocal = Read,

....................| StudentLocal = Traverse (under advanced)

....................|

....................|

....................|-- YrGrp > Perms: StaffLocal = Read,

...............................|................StaffStudWriteLocal = Read,

...............................|................StudentLocal = Traverse

...............................|

...............................|---StudentName > Perms: StaffLocal = Read,

....................................................................StaffStudWriteLocal = Write

....................................................................StudentUser = Modify

 

Also, as suggested above, do install Access Based Enumeration - this will result in users only being able to see files and folders that they have access to.

You will notice I suggested "Modify" permissions to students accounts. This is specifically so that they cannot possibly have the "Take ownership" right on objects within their home folder. When we find something untoward in a student's home folder, e.g. a pornographic picture, we set a deny permission entry on it and we only delete it after disciplinary steps (if needed) were done. The downside is setting Modify instead of Full Control means empty .TMP files will be created in the root of the student's home folder. These are hidden files of 0kb in size and Microsoft says you can safely ignore them. As they are hidden, our students don't know they are there.

Edited by Tamarside
Added dots to replace the spaces the forum stripped away, as by stripping away the spaces it RUINED my lovely tree-view! ;-P
  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • 33 When would you like EduGeek EDIT 2025 to be held?

    1. 1. Select a time period you can attend


      • I can make it in June\July
      • I can make it in August\Sept
      • Other time period. Comment below
      • Either time
×
×
  • Create New...