Re: Publishing document with semicolon in filename...

avillanueva · ‎Feb 24, 2023

Full disclosure. We are using reverse proxy and I did see and article linked below regarding this. I published a document where the primary content filename had a semicolon in the filename. When I attempted to view the details page, my authentication prompt was triggered and I saw this where the thumbnails should be. It still was able to launch Creo View but even then, auth prompt was thrown again. Weird enough to post about. I can see in my system that I have only a dozen cases of this. Publishing actually creates more since the Creo view files use the filename as its identity.

Found these in the knowledge base:

https://www.ptc.com/en/support/article/CS249568?source=search

https://www.ptc.com/en/support/article/CS314720?source=search

I know its messing up the URL somehow. I will check Apache logs to see but easy enough to tell users to not do this. Still seems like a bug that should be handled. Actually, what concerns me more is the possibility for injection of attack via the filename. Any white hats out there?

Marco_Tosin · ‎Feb 24, 2023

We had a similar problem a couple of weeks ago.

Just that morning I had been reading the support articles that I get on a daily basis.

Among those articles, one mentioned a problem opening PDF files due to a specific version of Acrobat Reader DC.

After an endless row of tests, we discovered that the problem this person had was confined to some PDFs, created as a result of scanning, that would not open by clicking directly on the thumbnail.

The problem did not occur if Windchill was configured in Http but only in Https, so we thought it was due to some strange font generated by the scanning being mistranslated by the reverse proxy

We solved the problem by opening the PDF file directly from the representations tab as per the attached image.

Marco

avillanueva · ‎Feb 24, 2023

Found article on web discussing potential vulnerability

https://superevr.com/blog/2011/three-semicolon-vulnerabilities

Says its been patched but perhaps reopened.

avillanueva · ‎Feb 24, 2023

Caught this in the background (PTC supplied) webserver in the access logs:

127.0.0.1 - - [24/Feb/2023:09:42:19 -0500] "GET /Windchill/servlet/WindchillGW/wt.fv.master.StandardMasterService/doDirectDownload/Report_-_Safety,_Reliabiltiy,_FMEA,_and_Derating;_8-7-2014_docx.jpg?folderId=1580573627&ft=FF&userid=6325&adId=1636797471&fileName=000000026a94a7&refsize=8190&mime=image/jpeg&mk=wt.fv.master.StandardMasterService&c=25&riid=-1&sT=1677249739&sign=mlsEEgwuLrLN9kZEcBxgMGKDV%2BI19WaUNuSCjQXllkY%3D&site<STOPPING HERE>

The Proxy server translated that portion to this:

Report_-_Safety%2C_Reliabiltiy%2C_FMEA%2C_and_Derating%3B_8-7-2014_docx.jpg?folderId

avillanueva · ‎Mar 24, 2023

I worked with tech support and my other server. We narrowed this down to the proxy server. We turned off publishing so that was not an issue. When I put the same files in my dev server which does not have a proxy, no issue. I am able to open the file just fine and no authentication issues.

With the proxy server, you cannot download it from web or with Windchill desktop Integration. We are still investigating but if you do not have a proxy, no issues.

Publishing document with semicolon in filename causes auth prompt when viewing thumbnail/pvs

Publishing document with semicolon in filename causes auth prompt when viewing thumbnail/pvs