Attachments 2.0 Security bug!

jaz

It seems that a user, which is not allowed to access a certain category, can still download the attachments in that category by logging in and entering the attachment download address in the web browser:

http://www.site.com/vanilla/?PostBackAction=Download&AttachmentID=1
Figuring out the attachment id:s is not very hard, since they seem to be sequential. Could we get a quick fix for this, since it's quite critical? I'm going to look into it myself as well, because the fix cannot be very difficult to do.

BR,
Johan

jaz

I fixed the problem in my own version of Vanilla by adding a few rows into the DownloadAttachment-method of the Attachments 2.0 plugin's default.php-file:

if( $Attachment->AttachmentID > 0 ) { /// jaz changes start $DiscussionManager = $this->Context->ObjectFactory->NewContextObject($Context, 'DiscussionManager'); $DiscussionData = $DiscussionManager->GetDiscussionById($Attachment->DiscussionID); if(!$DiscussionData) { // if we cannot fetch the discussion data, we should not be allowed to download // the attached file either! die(); } /// jaz changes end $this->DelegateParameters['DownloadAttachment'] = &$Attachment; $this->CallDelegate('DownloadAttachment'); $Path = str_replace(basename($Attachment->Path), '', $Attachment->Path); SaveAsDialogue($Path, $Attachment->Name); } else { die(); }
Hopefully this can be of some help for those looking for a quick-fix for this security issue. No warranty whatsoever, but it seems to work for me.

Stash

Could we have a comment from Jazzman on this?

Jazzman

Tnx jaz I've added the security fix to the new release (which will be available for download soon)

jaz

You're welcome. I'm glad I could help.

maxwizards

how could I enable the same security issue (if not logged, no access to the attachment) with Attachment 1.4 I can't update to v2 as i need the attachment to be folder based... thanks in advance