Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Attachments 2.0 Security bug!

jazjaz
edited December 2006 in Vanilla 1.0 Help
It seems that a user, which is not allowed to access a certain category, can still download the attachments in that category by logging in and entering the attachment download address in the web browser:

http://www.site.com/vanilla/?PostBackAction=Download&AttachmentID=1
Figuring out the attachment id:s is not very hard, since they seem to be sequential. Could we get a quick fix for this, since it's quite critical? I'm going to look into it myself as well, because the fix cannot be very difficult to do.

BR,
Johan

Comments

  • Options
    I fixed the problem in my own version of Vanilla by adding a few rows into the DownloadAttachment-method of the Attachments 2.0 plugin's default.php-file:

    if( $Attachment->AttachmentID > 0 ) { /// jaz changes start $DiscussionManager = $this->Context->ObjectFactory->NewContextObject($Context, 'DiscussionManager'); $DiscussionData = $DiscussionManager->GetDiscussionById($Attachment->DiscussionID); if(!$DiscussionData) { // if we cannot fetch the discussion data, we should not be allowed to download // the attached file either! die(); } /// jaz changes end $this->DelegateParameters['DownloadAttachment'] = &$Attachment; $this->CallDelegate('DownloadAttachment'); $Path = str_replace(basename($Attachment->Path), '', $Attachment->Path); SaveAsDialogue($Path, $Attachment->Name); } else { die(); }
    Hopefully this can be of some help for those looking for a quick-fix for this security issue. No warranty whatsoever, but it seems to work for me.
  • Options
    Could we have a comment from Jazzman on this?
  • Options
    Tnx jaz :) I've added the security fix to the new release (which will be available for download soon)
  • Options
    You're welcome. I'm glad I could help.
  • Options
    edited December 2006
    how could I enable the same security issue (if not logged, no access to the attachment) with Attachment 1.4 I can't update to v2 as i need the attachment to be folder based... thanks in advance
This discussion has been closed.