none
HP Publisher security violation and vulnerability on Windows Home Server RRS feed

  • Question

  • I want to provide remote access for family to some photos published on my Windows Home Server.

    I have used HP Photo Publisher to create a folder for viewing but encoutered the following two SERIOUS security vulerabilities:

    1. HP Photo Publisher automatically includes the "Users" shared folder in the list of folders that it scans and uploads photos from, even if no access is granted by WHS to that share or any of the individual user accounts below it. Furthermore there is no way to "uncheck" that folder; nor is the full list of  user folders shown, even if all are scanned and included; and all the photos, images, etc that HP Publisher includes and publishes is not shown for those folders. RESULT: HP Publisher scans the entire folder hierarchy under Users and silently and invisibly uploads every image and photo it finds, irrespective of permissions.

    2. Anyone granted remote access to your home server automatically has access to both HP Photo Viewer AND Publisher.

    3. A remote user is able to delete a photo froma collection while using VIEWER

    this allmeans that if a user, in good faith, makes some photos available; that any remote user can, in good faith, accidentally, or in bad faith, deliberately, create a new photo gallery and include content that is otherwise private and password protected by WHS.

    How is any of this possible? I can set user permissions to none, view-only or full-access for each user and WHS share, so why can't HP follow the same security protocol?

    Thursday, August 18, 2011 6:47 PM

All replies

  • Are you talking about Windosw Home Server 2011? If so, you may find you have set up a HomeGroup which your Server is joined to - HomeGroup permissions over ride individual WHS folder permissions
    Phil P.S. If you find my comment helpful or if it answers your question, please mark it as such.
    Thursday, August 18, 2011 7:17 PM
  • @OP: what you're complaining about is effectively "by design". HP intended for their software to work the way it does, and part of the"ease of use" is a lack of concern with security. The thought process was probably something like: After all, the only people one would expect a home server user to share their photos with are family and close friends, so a relatively "open" security architecture is fine. You will need to pursue this with HP, however, since that software was added by HP and only available on their servers. You may not have much luck, however, since HP no longer manufactures and sells Windows Home Server boxes.

    @Phil: No, he's not talking about Windows Home Server 2011. HP is out of that business as of late last year, remember?


    I'm not on the WHS team, I just post a lot. :)
    Friday, August 19, 2011 12:38 PM
    Moderator
  • Old post but for future reference when this pops up in searches refer to my original post below to fix these issues.

    I have been searching for the solution to this problem for a few days now.

    I think I found found last evening while doing some experimenting.  Basically I want only one account to be able to modify the Photo Viewer albums and be able to use Photo Publisher. So here is what I did.

    PART I: First I disabled the Photo Publisher page from external use
    .Remote Desktop to your WHS computer
    .Click on START -> Administrator Tools -> IIS Mananger
    .Find the Photo Publisher web site on the left side panel.
    .Right click on the web site and select properties.
    .Click the Directory Security tab and click the Deny Access button
    .Click add to add an exception range.  In my case I used a group of computers and entered my home network gateway address with a subnet of 255.255.255.0

    Now anyone on the Intranet with a WHS account will have access to the Photo Publisher.  Anyone on the Internet will get an error message when they click on the Photo Publisher link even if they have a WHS account.


    PART II: Disable access to edit Photo Viewer albums
    .Remote desktop to the WHS computer
    .Open a File Explorer window and navigate to the Photo Viewer folder in Program File\HP\....
    .Find the file named Web.config in the Photo Viewer folder.  Make a backup copy before you edit this.
    .Use Notepad to edit the file. It is an XML file.  There should be two sections with the Key <authorization>
    .I changed to first authorization key to the following:
        <authorization>
          <allow verbs="POST" users="Owner" />
          <deny verbs="POST" users="?" />
          <deny verbs="POST" users="*" />
          <allow users="?" />
          <allow users="*" />
        </authorization>
    This allows the POST action to the WHS account named Owner only.  The order is important.  You can add more accounts by seperating users with comma inside the quotes.
    The second <authorization> key under secure is OK as is.  Becuase a user can still login on one of the other HP button (Access files, etc.) and come back to the photo viewer page and be logged in.

    Now anytime a user other then 'Owner' trys to rename or delete or add captions to the photo album, the page will switch to the login page and they won't be able to login and the changes will not be saved.


    I hope this helps, I know I have read through many boards where others had the same question with no answers.

    Please copy and paste this freely to all boards that you know are having this issue.

    Epic

    Tuesday, March 18, 2014 3:55 AM