Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Direct access to attachments through URL without authentication

HelioGabrenha
Giga Contributor

‎05-30-2017 02:27 PM

Hi guys,

Have you guys experienced accessing the following url:

https://<your_instance>.service-now.com/<sys_id>.iix

Where <sys_id> can be ANY attachment sys_id and the file is displayed inline on the browser (if the browser is able to).

I have researched that "iix" is used to display images, but using the method above, any file type can be accessed and a bit worse, don't need to be authenticated on the instance.

I found that there is a system property that enforces all attachments to be downloaded and not display inline.

The property is found in System Properties > Security


glide.ui.attachment.force_download_all_mime_types

Even with this option turned on, the URL above displays the attachment content inline.

Is there any way to block this direct access?

  • 5,732 Views
8 REPLIES 8

MarkyMark1
Tera Expert

‎10-11-2022 11:41 AM

I'm still seeing the same issue even with the property set to true glide.image_provider.security_enabled

petep-cts
Tera Contributor

‎11-08-2023 02:15 PM

We are seeing issue on our end too, has anybody found a solution?

0 Helpfuls

Randheer Singh
ServiceNow Employee
ServiceNow Employee
In response to petep-cts

‎11-08-2023 07:40 PM

Hi @petep-cts ,

what is the value of this system property?
glide.image_provider.security_enabled
this should be true.
https://docs.servicenow.com/en-US/bundle/vancouver-platform-security/page/administer/security/refere...


petep-cts
Tera Contributor
In response to Randheer Singh

‎11-09-2023 06:38 AM

It is set to true. Imaged uploaded as attachments require authentication. However, images that are inserted in the HTML editor are still accessible publicly without authentication. 

0 Helpfuls