HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Everyone can read upload folder content


I didn't find any answer in the forum so i ask a new one.

I'm on vanilla 3.3, php 7.3 behind apache and haproxy. It works pretty well.

My forum is a private one; only registered users can see discussions and categories.

However, i have a little security issue when users uploads files. Anyone can read upload folder content if they got the full path.

The only way i found to block these unwanted reads is to put a 403 through .htaccess file for the uploads folder.

Of course, this solution block everyone and all my attachments uploaded can not be read for anyone, either registered users.

Is anyone have an idea to solve this issue ?


Sign In or Register to comment.