Skip to main content
BuyLog In
ASP.NET Web Forms Controls
Search in…
Docs > ASP.NET WebForms Controls > File Management > File Manager > Concepts > Security Issues
A newer version of this page is available. .
All docs
V18.2
ASP.NET Controls and MVC Extensions
Prerequisites
What's Installed
Common Concepts
ASP.NET WebForms Controls
Getting Started
Grid View
Tree List
Card View
Reporting
Chart Control
Pivot Grid
Spreadsheet
Rich Text Editor
Scheduler
Site Navigation and Layout
HTML Editor
Gauges
Vertical Grid
Data Editors
Docking and Popups
File Management
Product Information
File Manager
Overview
Concepts
Root Folder
Thumbnails
View Modes
Custom Columns
Toolbar
Adaptivity
Uploading Files
File Download
Context Menu
Access Control Overview
File System Providers
Security Issues
Visual Elements
Member Tables
Examples
File Upload
Data and Image Navigation
Multi-Use Site Controls
Spell Checker
Query Builder
ASP.NET MVC Extensions
Localization
Redistribution and Deployment
Get More Help
.NET Framework API Reference
Client API Reference
Download CHM

Security Considerations

  • 2 minutes to read

By default, the ASPxFileManager control keeps thumbnails in the public “~\Thumb" folder where every subfolder corresponds to a file manager folder containing images. A subfolder name is created using an MD5 (Message Digest 5) algorithm based on a source folder’s relative path and thumbnail size (e.g., for a file with the path ~\Content\User1\ MyPhoto.jpg, a thumbnail will be created with the path ~\Thumb\4b4a00930e767e8d70506b9ce2eb123a\MyPhoto.jpg.png.


<dx:ASPxFileManager ID="ASPxFileManager1" runat="server">
     <Settings RootFolder="~\Content\" ThumbnailFolder="~\Thumb\" />
</dx:ASPxFileManager>

FileManager_ThumbnailsSecurity

A subfolder is created and populated with thumbnails when they should be displayed for the first time. Before a thumbnail is created, a file manager checks for the existence of a thumbnail with the required path and name, and if found, uses that existent thumbnail.

Important

The described behavior can cause the following issues.

  • If one knows a prohibited file’s name and path, he/she can access the file thumbnail by converting the path using an MD5 hash and pasting it to the browser address line.
  • If the FileManagerSettings.RootFolder property is changed dynamically (e.g., for different users), the relative paths and file names can coincide for files with different content. In this case, ASPxFileManager does not create a new thumbnail and uses an existing one. So a file can have the wrong thumbnail.

Therefore, if you implement a multi-user application or dynamically change the root folder, you are required to dynamically specify a thumbnail folder (the FileManagerSettings.ThumbnailFolder property) based on the currently logged-in user.


<dx:ASPxComboBox ID="ASPxComboBox1" runat="server" AutoPostBack="True" SelectedIndex="0">
     <Items>
          <dx:ListEditItem Text="Common" Value="Common files" Selected="True" />
          <dx:ListEditItem Text="User 1" Value="User1" />
          <dx:ListEditItem Text="User 2" Value="User2" />
          <dx:ListEditItem Text="User 3" Value="User3" />
     </Items>
</dx:ASPxComboBox>
<dx:ASPxFileManager ID="ASPxFileManager1" runat="server">
     <Settings RootFolder="~/Content/Common files" ThumbnailFolder="~/Content/Thumbs/Common files" />
</dx:ASPxFileManager>

We also recommend you set restricted access for these thumbnail folders.

See Also