Preventing un-authenticated user from viewing sys_attachment images with URL.

MarkyMark1
Tera Expert

‎10-11-2022 12:11 PM

The following property is suppose to restrict unauthenticated users from accessing images in the sys_attachments table but if you have the url to the sys_id with the iix entension anyone can still view such an image which is a hole our security team is requiring be closed.

 

glide.image_provider.security_enabled

https://docs.qualityclouds.com/qcd/the-glide-image_provider-security_enabled-system-property-is-set-...

 

https://docs.servicenow.com/bundle/tokyo-platform-security/page/administer/security/reference/restri...

 

Here is one such 

MarkyMark1_1-1665515075890.png

 

Using the URL's syd_id with the iix extension anyone can view this image without being prompted to login.  (including resulting image as URL likely won't be up when you read this).

https://dev88033.service-now.com/a5d3c898c3222010ae17dd981840dd8b.iix

 

MarkyMark1_0-1665514998885.png

 

The information provided in the SN doc's doesn't appear to be valid or I'm missing something.  Hopefully someone has some ideas.

 

Thanks.

 

 

0 Helpfuls
  • 945 Views
2 REPLIES 2

Mike_R
Kilo Patron
Kilo Patron

‎10-11-2022 01:41 PM - edited ‎10-11-2022 01:43 PM

This sounds like a big issue/bug. I would open a support ticket as well. I'm curious of the resolution so please keep us posted.

 

But according to https://docs.servicenow.com/bundle/sandiego-platform-user-interface/page/administer/navigation-and-u...

 

The db_image table is a public table that does not have any security restrictions. Unauthenticated users have full access to images uploaded to the db_image table.

Images vs attachments

If you want to access an image from a record, or if you want to prevent users from appending the image name to the URL of the instance, upload it as an attachment instead. When you upload an image as an attachment, the image is saved in the Attachments [sys_attachment] table.

Mike
* My Collection of ServiceNow Stuff *

0 Helpfuls

Tony Chatfield1
Kilo Patron

‎10-11-2022 01:43 PM

Hi, I see the same behaviour in a PDI and removing the OOB 'Public' ACL and adding a generic 'Nobody ACL with answer = false, does not resolve the issue.
I would suspect something to do with an allowance for portal imagry for non logged in users, but  ot being able to disable access via 'glide.image_provider.security_enabled' is a concern as this sys_property appears to be the OOB solution.
I would recommend that you log a security case with ServiceNow Support.

0 Helpfuls