Any possiblity to segregate the admin portion of the web interface with the general interface?
started a topic
over 3 years ago
codewzrd @ Fri Mar 28 14:52:54 EET 2014 So we were asked by our information security team if crushftp has separate interfaces for the admin portion and the general user interface? If not, what do you recommend in making sure that the internet facing crushftp server will never be allowed to show the admin screens.
Also when I enter this url, http://localhost:9090/WebInterface/admin/index.html, and I am logged in as a regular user, I get a page with just a "loading server prefs...". They will definitely flag this. I think if you are not an admin going to the admin URL, you should be taken back to the home page.
over 3 years ago
spinkb @ Fri Mar 28 15:02:28 EET 2014 The admin controls are done at the server, not browser. If you try and request some admin item and are not an admin, your request is thrown away.
Everything in the "WebInterface" folder is public. Its the UI for the browser, what the browser runs to talk to CrushFTP. but unless you login and have an admin role, you can't make admin calls to the server. The server will deny them.
So they can flag it, but they are incorrect if they do.
CrushFTP is not a web app server with all the security vulnerabilities that go with a web app server.
Use IP restrictions for your admin accounts if your worried about your password for a secret username being given out. Don't use common usernames like "admin" or "administrator". Use something personal, and unique, and a good password. Set some IP restrictions on your account so its worthless for an outside user to attempt to use it.
Its intentional the admin interface is exposed externally.