Security issue with backup copy Web.config.back

[bjk68]

When the file Web.config is updated by Advanced Installer, and the option to create a backup file is enabled (recommended), the file Web.config.back is created. Or web.config.1.back if it is already present.

A webserver ignores requests for files with the ".config" extension, but requests for files with the extension ".back" are NOT ingnored. This imposes a security risk, because the config file "Web.config.back" will be visible to our users.

Please can you change the way a backup copy is created, so the extension remains the same. E.g. Web.back.config or Web.1.back.config.

Another problem is that a backup copy is always created, even if there are no modifications necessary.

Best regards,

Bart

[mihai.petcu]

Hello Bart,

The reason behind the current extension naming convention is that we needed to differentiate between backup files and the actual files used by your application. Changing the extension would completely avoid the possibility your application consuming a backup file.

I have discussed this issue with our development team and we will consider your suggestions for a future version. Thank you for your feedback and for helping us make Advanced Installer a better product.

Meanwhile, you can disable the backup or you can create your own custom action that renames the backup file( CMD, VBScript, etc ). This custom action should be scheduled after WriteEnvironmentStrings standard action.

All the best,
Mihai

[Dan]

Hello,

This was fixed in version 14.9 of Advanced Installer released on May 24th, 2018.

Best regards,
Dan