Start a new topic

Any possiblity to segregate the admin portion of the web interface with the general interface?

codewzrd @ Fri Mar 28 14:52:54 EET 2014
So we were asked by our information security team if crushftp has separate interfaces for the admin portion and the general user interface? If not, what do you recommend in making sure that the internet facing crushftp server will never be allowed to show the admin screens.

Also when I enter this url, http://localhost:9090/WebInterface/admin/index.html, and I am logged in as a regular user, I get a page with just a "loading server prefs...". They will definitely flag this. I think if you are not an admin going to the admin URL, you should be taken back to the home page.

Thanks.
1 Comment

spinkb @ Fri Mar 28 15:02:28 EET 2014
The admin controls are done at the server, not browser. If you try and request some admin item and are not an admin, your request is thrown away.

But if you want to load the public UI of CrushFTP that is plain HTML, CSS and Javascript, there is no possible harm from this. This public UI is available for anyone to download, its out in the open. It always has been. Its not "secret" in any way.

Everything in the "WebInterface" folder is public. Its the UI for the browser, what the browser runs to talk to CrushFTP. but unless you login and have an admin role, you can't make admin calls to the server. The server will deny them.

So they can flag it, but they are incorrect if they do.

CrushFTP is not a web app server with all the security vulnerabilities that go with a web app server.

Use IP restrictions for your admin accounts if your worried about your password for a secret username being given out. Don't use common usernames like "admin" or "administrator". Use something personal, and unique, and a good password. Set some IP restrictions on your account so its worthless for an outside user to attempt to use it.

Its intentional the admin interface is exposed externally.

Thanks,
Ben
Login to post a comment