We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Attachments security issue (1.5.3 and 1.6) [Solution] | Forum

S. Bourdon
S. Bourdon Jan 15 '14
Hello,


Just found out that Oxwall simply saves attachments to comments using the following rule: attach_xx.ext, where xx is a number and ext the file extension. Problem is that you can simply go to any Oxwall website and look at the ow_userfiles/plugins/base/attachments/attach_xx.jpg folder and access pictures that shouldn't be available publicly.


Here's an example, from the Oxwall Demo site:

http://demo.oxwall.org/ow_userfiles/plugins/base/attachments/attach_1.jpg



As a workaround, here's what I did.


Open ow_system_plugins\base\controllers\attachment.php


Replace:

$fileName = 'attach_' . $attachDto->getId() . '.' . UTIL_File::getExtension($_FILES['attachment']['name']);


With:

$addDatetime = time();

$fileName = 'attach_' . $attachDto->getId() . '_' . $addDatetime . '.' . UTIL_File::getExtension($_FILES['attachment']['name']);


Hope this helps!  :)

The Forum post is edited by Alia Jan 16 '14
Alia Team
Alia Jan 16 '14
Thanks for sharing.

We will improve the way attachments work some day. However, since this is a complex change  this is not going to happen soon.
Greg
Greg Apr 5 '14
I went to make these changes but in the new version the file is different. Did this move somewhere else or is there a different fix to use in 1.6.0? Thank you
Greg
Greg Apr 9 '14
Thank you. It works
For anyone looking for this fix in 1.6, the code can be found in ow_system_plugins/base/bol/attachment_service.php