[Edit task]
Bug #377 Details
[Security] Attachments can be downloaded without permission
I configured a group that is allowed to read a forum but not allowed to download an attachment from it's posts. The attachment was displayed to a user of the restricted group so he did know that there was an attachment.
He couldn't download it from the forum view because the link was missing for him. So he requested the link from a user that had the permission to download attachments and he could download it with that link too.
Since attachments are identified by id only it's very simple to guess or download any attachment that exists simply by downloading any attachment that has ever been uploaded or by guessing it's id by comparing it to an attachment with a similiar upload date.
I consider this a security hole. If you can configure a group to not beeing allowed to download an attachment it should no be possible to download it with a direct link that even uses Viscacha to do so.
atttachment download security group
Closed (ass. to MaMo)
beko
27.05.2010, 18:41
Fixed
11 Jul 2010 14:25
MaMo
0.8
0.8.1
Minimal change
I configured a group that is allowed to read a forum but not allowed to download an attachment from it's posts. The attachment was displayed to a user of the restricted group so he did know that there was an attachment.
He couldn't download it from the forum view because the link was missing for him. So he requested the link from a user that had the permission to download attachments and he could download it with that link too.
Since attachments are identified by id only it's very simple to guess or download any attachment that exists simply by downloading any attachment that has ever been uploaded or by guessing it's id by comparing it to an attachment with a similiar upload date.
I consider this a security hole. If you can configure a group to not beeing allowed to download an attachment it should no be possible to download it with a direct link that even uses Viscacha to do so.
atttachment download security group
Closed (ass. to MaMo)
High
beko
27.05.2010, 18:41
Fixed
11 Jul 2010 14:25
MaMo
0.8
0.8.1
100 %
Minimal change
Changes history| Date | User | Action |
| 27.05.2010, 18:41 | beko | Opened task |
| 02.06.2010, 19:45 | MaMo | Changed status (New → Acknowledged) |
| Changed description | ||
| Changed due version ( → 0.8.1) | ||
| Changed estimated cost (Average work → Minimal change) | ||
| 11.07.2010, 14:25 | MaMo | Changed status (Acknowledged → Closed) |
| Changed close reason (None → Fixed) | ||
| Changed assigned user ( → MaMo) | ||
| Changed category (Code parser → Security) | ||
| Changed description | ||
| Changed percent complete (0 % → 100 %) |
Alle Zeitangaben in GMT +01:00. Aktuelle Uhrzeit: 08:35.