1
Vote

Security of aspx pages

description

The pages inside the layout directory are not secure, suppose you have a partly anonymous site with some subsites using FBA; users can register themselves via the anonymous part. If the url is known users are able to edit users and roles.
 
eg I can go to this location and sign in as administrator http://server/_layouts/FBA/Management/RolesDisp.aspx but I can also access this page whatever user I am. (root site is anonymous)
 
I think the pages should be secured in the Page_Load eg by the following code :
    try
    {
        string sUserName = SPContext.Current.Web.CurrentUser.LoginName;
    }
    catch
    {
        this.Response.Redirect("/_layouts/accessdenied.aspx");
    }

comments