MaMo Net

[Edit task] Bug #377 Details
[Security] Attachments can be downloaded without permission

I configured a group that is allowed to read a forum but not allowed to download an attachment from it's posts. The attachment was displayed to a user of the restricted group so he did know that there was an attachment.

He couldn't download it from the forum view because the link was missing for him. So he requested the link from a user that had the permission to download attachments and he could download it with that link too.

Since attachments are identified by id only it's very simple to guess or download any attachment that exists simply by downloading any attachment that has ever been uploaded or by guessing it's id by comparing it to an attachment with a similiar upload date.

I consider this a security hole. If you can configure a group to not beeing allowed to download an attachment it should no be possible to download it with a direct link that even uses Viscacha to do so.


atttachment download security group

Closed (ass. to MaMo)

   High


beko

27.05.2010, 18:41

Fixed

11 Jul 2010 14:25

MaMo

0.8

0.8.1

  100 %

Minimal change

 Changes history
DateUserAction
27.05.2010, 18:41bekoOpened task
02.06.2010, 19:45MaMoChanged status (New → Acknowledged)
  Changed description
  Changed due version ( → 0.8.1)
  Changed estimated cost (Average work → Minimal change)
11.07.2010, 14:25MaMoChanged description
  Changed category (Code parser → Security)
  Changed assigned user ( → MaMo)
  Changed close reason (None → Fixed)
  Changed status (Acknowledged → Closed)
  Changed percent complete (0 % → 100 %)

Alle Zeitangaben in GMT +02:00. Aktuelle Uhrzeit: 20:42.