Direct access to attachments through URL without authentication

HelioGabrenha · ‎05-30-2017

Hi guys,

Have you guys experienced accessing the following url:

https://<your_instance>.service-now.com/<sys_id>.iix

Where <sys_id> can be ANY attachment sys_id and the file is displayed inline on the browser (if the browser is able to).

I have researched that "iix" is used to display images, but using the method above, any file type can be accessed and a bit worse, don't need to be authenticated on the instance.

I found that there is a system property that enforces all attachments to be downloaded and not display inline.

The property is found in System Properties > Security

glide.ui.attachment.force_download_all_mime_types

Even with this option turned on, the URL above displays the attachment content inline.

Is there any way to block this direct access?

Michael Ritchie · ‎05-30-2017

Helio, can you please verify the URL as I am NOT able to reproduce this on my instance based on your example. What version is your instance on?

HelioGabrenha · ‎05-31-2017

Sorry, i forgot to mention that.

I am using Istanbul Patch 5 Hot Fix 1

Today, I got a reply from HI, telling that exist a system property called "glide.image_provider.security_enabled" that, when is set to true, obligates the login to access attachments.

Despite the fact that the property is named "image_provider", it does work for other files than images.

The only problem that I am facing now is that, when the URL is open and authenticated, the file content is displayed inline, even when I have set "glide.ui.attachment.force_download_all_mime_types" to true.

Roger James · ‎07-18-2017

Hi

If you provide the url as a reference to the sys_attachment you will need authentication to access (and download) the attachment.

e.g. https://<your_instance>.service-now.com/sys_attachment.do?sys_id=<sys_id>

agopalrao · ‎03-27-2018

heliogabrenha

I have same use case. Did you find the solution for it.