Direct access to attachments through URL without authentication

HelioGabrenha
Giga Contributor

‎05-30-2017 02:27 PM

Hi guys,

Have you guys experienced accessing the following url:

https://<your_instance>.service-now.com/<sys_id>.iix

Where <sys_id> can be ANY attachment sys_id and the file is displayed inline on the browser (if the browser is able to).

I have researched that "iix" is used to display images, but using the method above, any file type can be accessed and a bit worse, don't need to be authenticated on the instance.

I found that there is a system property that enforces all attachments to be downloaded and not display inline.

The property is found in System Properties > Security


glide.ui.attachment.force_download_all_mime_types

Even with this option turned on, the URL above displays the attachment content inline.

Is there any way to block this direct access?

  • 5,992 Views
8 REPLIES 8

MarkyMark1
Tera Expert

‎10-11-2022 11:41 AM

I'm still seeing the same issue even with the property set to true glide.image_provider.security_enabled

petep-cts
Tera Contributor

‎11-08-2023 02:15 PM

We are seeing issue on our end too, has anybody found a solution?

0 Helpfuls

Randheer Singh
ServiceNow Employee
In response to petep-cts

‎11-08-2023 07:40 PM

Hi @petep-cts ,

what is the value of this system property?
glide.image_provider.security_enabled
this should be true.
https://docs.servicenow.com/en-US/bundle/vancouver-platform-security/page/administer/security/refere...


petep-cts
Tera Contributor
In response to Randheer Singh

‎11-09-2023 06:38 AM

It is set to true. Imaged uploaded as attachments require authentication. However, images that are inserted in the HTML editor are still accessible publicly without authentication. 

0 Helpfuls