[Expand]General Information
[Expand]WinForms Controls
[Collapse]ASP.NET Controls and MVC Extensions
 [Expand]What's Installed
 [Expand]Common Concepts
 [Collapse]ASP.NET WebForms Controls
   Getting Started
  [Expand]Grid View
  [Expand]Tree List
  [Expand]Card View
  [Expand]Chart Control
  [Expand]Pivot Grid
  [Expand]Rich Text Editor
  [Expand]Site Navigation and Layout
  [Expand]HTML Editor
  [Expand]Vertical Grid
  [Expand]Data Editors
  [Expand]Docking and Popups
  [Collapse]File Management
   [Expand]Product Information
   [Collapse]File Manager
     ASPxFileManager Overview
      View Modes
      Custom Columns
      Uploading Files
      File Download
      Context Menu
     [Expand]Access Control Overview
     [Expand]File System Providers
      Security Considerations
    [Expand]Visual Elements
    [Expand]Member Tables
   [Expand]File Upload
  [Expand]Data and Image Navigation
  [Expand]Multi-Use Site Controls
  [Expand]Spell Checker
  [Expand]Query Builder
 [Expand]ASP.NET MVC Extensions
 [Expand]Redistribution and Deployment
  Get More Help
 [Expand]API Reference
[Expand]ASP.NET Bootstrap Controls
[Expand]ASP.NET Core Bootstrap Controls
[Expand]WPF Controls
[Expand]Xamarin Controls
[Expand]Windows 10 App Controls
[Expand]Office File API
[Expand]Report and Dashboard Server
[Expand]eXpressApp Framework
[Expand]CodeRush Classic
[Expand]Cross-Platform Core Libraries
[Expand]Tools and Utilities
 End-User Documentation

Security Considerations

By default, the ASPxFileManager control keeps thumbnails in the public "~\Thumb\" folder where every subfolder corresponds to a file manager folder containing images. A subfolder name is created using an MD5 (Message Digest 5) algorithm based on a source folder's relative path and thumbnail size (e.g., for a file with the path ~\Content\User1\ MyPhoto.jpg, a thumbnail will be created with the path ~\Thumb\4b4a00930e767e8d70506b9ce2eb123a\MyPhoto.jpg.png.

A subfolder is created and populated with thumbnails when they should be displayed for the first time. Before a thumbnail is created, a file manager checks for the existence of a thumbnail with the required path and name, and if found, uses that existent thumbnail.


The described behavior can cause the following issues.

  • If one knows a prohibited file's name and path, he/she can access the file thumbnail by converting the path using an MD5 hash and pasting it to the browser address line.
  • If the FileManagerSettings.RootFolder property is changed dynamically (e.g., for different users), the relative paths and file names can coincide for files with different content. In this case, ASPxFileManager does not create a new thumbnail and uses an existing one. So a file can have the wrong thumbnail.

Therefore, if you implement a multi-user application or dynamically change the root folder, you are required to dynamically specify a thumbnail folder (the FileManagerSettings.ThumbnailFolder property) based on the currently logged-in user.

We also recommend you set restricted access for these thumbnail folders.

Expanded See Also

Is this topic helpful?​​​​​​​