Media.AlwaysIncludeServerUrl

One of our clients in the company I work for, recently reported an issue with the media URLs generated by Sitecore:

“Security issue found on server by NGINIX security server (Blocked Request 406). The hyphen needs to be removed from: ‘/-/media/setf/logos/header_logo.png’ as it is identified as Traversal Probe”

As you can see, they are using a NGINIX security server in their network to minimize security weaknesses although this is not its main feature. You can find more info about NGINIX in their official documentation.

On the other hand, they are referencing the term “Traversal Probe” at the end of the error message. This, basically means, the site is vulnerable of requests asking for files outside the root directory of the website. For instance, an attacker can request files outside of “c:\inetpub\wwwroot” if this is an IIS server.

I personally don’t think this is possible and a real vulnerability because of IIS latest security measures’ which don’t allow this and other reasons. However, this post is about what you can do to avoid generating these URLs without hyphens if this happens to you.

Hopefully for us, Sitecore has a setting that permits to generate the media URLs in an absolute manner or with its full path.

Open the App_Config\Sitecore.config file and search for “Media.AlwaysIncludeServerUrl” and change the value to “true” and save the file. After Sitecore restarts the application you will be able to see the same file now with its absolute path.

Just take in mind that enabling this setting might produce longs URLs specially if there is a lot of folders in the media content that saves the files.

Reference

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.