Unrestricted access to ImageResizer Diagnotics plugin
Description
The ImageResizer Diagnostics plugin is publicly accessible without requiring authentication. This plugin provides detailed system information, configuration details, and diagnostic data about the ImageResizer installation. Unrestricted access to this administrative interface allows unauthorized users to view sensitive technical information that could aid in further attacks.
Remediation
Restrict access to the ImageResizer Diagnostics plugin by implementing authentication and authorization controls. The recommended approach is to disable the plugin in production environments or limit access to authorized IP addresses only.
To disable the plugin, remove or comment out the Diagnostics plugin registration in your configuration:
<resizer>
<plugins>
<!-- Remove or comment out this line -->
<!-- <add name="Diagnostics" /> -->
</plugins>
</resizer>Alternatively, if the plugin is needed, restrict access using web server configuration. For IIS, add IP restrictions in web.config:
<location path="resizer.debug">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<add ipAddress="127.0.0.1" allowed="true" />
<add ipAddress="YOUR_ADMIN_IP" allowed="true" />
</ipSecurity>
</security>
</system.webServer>
</location>Verify the plugin is no longer publicly accessible by attempting to access the diagnostics endpoint without authentication.