I am using cute web ui ajax uploader and recent security review shows the this control exposing the error message when the VFN param inrequest is tweaked or when trying to upload a malformed file with name say a file name "virus's''.docx"
I have set the HideDirectoryproperty true in webconfig with no luck (under appsettings)
The documentation states setting the above property should hide the file directory from displaying on errormessages http://ajaxuploader.com/document/index.htm?page=html/webconfig-appsettings.htm
Note: This is a web application in ASP.net 4.0 with CuteWebUI.AjaxUploader.dll 3.0version
Any pointers would be highly appreciated.
The issue turned out be bad documentation from CuteWebUI team The documentation mentions about setting HideDirectory property in app settings true and the example shows
"<add key="CuteWebUI.AjaxUploader.HideDirectory" value="true" />"
The real issue is the property value is case sensitive(counter intuitive enough). If the following property is set under AppSettings Section in webconfig the directory path in the errors can be masked fixing the security flaw.
<add key="CuteWebUI.AjaxUploader.HideDirectory" value="True" />