Created attachment 131 [details] icals output **What steps will reproduce the problem?** Hello, I'm a security researcher and I've identified an issue in your product that I would like to report. During my research, I observed from the icacls output below that the entire C:\Orthanc directory, along with its subdirectories and files, allows users—including unprivileged users (authenticated users)—to write or overwrite files. This is evident as the "Authenticated Users" group possesses modify (M) permissions on these directories and files. To fix the issue where unprivileged users have write access to sensitive directories and files (such as C:\Orthanc), developers need to implement changes in the application or system configuration that manage access control and implement correct permissions. **What is the expected output? What do you see instead?** the expected output? C:\Windows\System32>icacls "C:\Orthanc" /T C:\Documents and Settings\*: Access is denied. Successfully processed 0 files; Failed processing 1 files What do you see instead? C:\Windows\System32>icacls "C:\Orthanc" /T C:\Orthanc BUILTIN\Administrators:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) C:\Orthanc\index BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) C:\Orthanc\index-wal BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) C:\Orthanc\WebViewerCache BUILTIN\Administrators:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) C:\Orthanc\WebViewerCache\cache.db BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) C:\Orthanc\WebViewerCache\cache.db-shm BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) C:\Orthanc\WebViewerCache\cache.db-wal BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) Successfully processed 7 files; Failed processing 0 files **What version of the product are you using? On what operating system?** Orthanc server 1.12.3 OS: Microsoft Windows 11 Pro (10.0.22631 N/A Build 22631) Kind regards Mounir Aarab - NTT DATA Belgium
Hi Mounir, Thanks for your report. You mean that only the System and/or Administrator users shall have read/write access to C:\Orthanc in case Orthanc is running as a Windows service and therefore as a "System" user ? We are definitely not Windows expert so we don't know much about user management and how one can assign user rights to a folder when creating it. Moreover, our code is 99.999% cross platform and we do not focus on the Windows platform. Do you confirm that a user can modify the access rights of the C:\Orthanc folder after the installation is complete to achieve a correct handling of access rights ? BR, Alain