https://forums.webwiz.net/ Copyright (c) 2006-2013 Web Wiz Forums - All Rights Reserved. Sat, 11 Apr 2026 15:05:04 +0000 Thu, 25 Nov 2004 16:29:29 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 12.08 360 https://forums.webwiz.net/RSS_post_feed.asp?TID=12701 https://forums.webwiz.net/forum_images/web_wiz_forums.png https://forums.webwiz.net/ https://forums.webwiz.net/securityholes-in-attachments_topic12701_post70329.html#70329 Author: BoNo
Subject: 12701
Posted: 25 November 2004 at 4:29pm

@-boRg-:
You missunderstood....I didn't want to put the attachments INSIDE the database, I only want put a "reference" to the real path+filename to the file and give the downloading user an ID, which is handled by a download.asp-script, streaming the file as "filename.ext" without the path where it cames from. This would give me the feature to store the files in an area, where a "normal" user never would gain access to (as proposed by Gullanian) over the web.
This would also give the forum the possibility to check the permissions for downloading this file (tlbAttachmend holds Att_ID, Thread_ID and the RealPathToFile) by Thread_ID.
The link would show like href="download.asp?ATID=4" which then checks the permissions for the Thread_ID stored in conjunction with this attachment.

My only problem is about the "garbaged files" when cancelling a posting after uploading.]]> Thu, 25 Nov 2004 16:29:29 +0000 https://forums.webwiz.net/securityholes-in-attachments_topic12701_post70329.html#70329 https://forums.webwiz.net/securityholes-in-attachments_topic12701_post70321.html#70321 Author: Gullanian
Subject: 12701
Posted: 25 November 2004 at 2:46pm

How about the option of uploading into a private folder and streaming the file to users that have legitimate access to the file?]]> Thu, 25 Nov 2004 14:46:07 +0000 https://forums.webwiz.net/securityholes-in-attachments_topic12701_post70321.html#70321 https://forums.webwiz.net/securityholes-in-attachments_topic12701_post70319.html#70319 Author: WebWiz-Bruce
Subject: 12701
Posted: 25 November 2004 at 2:40pm

Not so much a security hole, just something that you have to accept when using ASP.

If you upload something to a publicly accessible server you just have to accept that it is just that, 'publicly accessible'.

The only way to prevent this is to place a password on the directory the file is uploaded to.

As most people don't have access to the server they can not do this,and even if they can unless they have access to the server, orcomponents installed the forums permissions wouldn't be able to grantthem access to that folder.

If you do as you suggest and place the attachments in the database,this would be a huge performance hit, especially if using Access as thedatabase size would become very large and full of attachements.

As far as the attachment not deleting when you hit cancel, this againcan not be overcome with ASP alone and is more to do with the uploadcomponent and the way in which the stateless HTTP protocol works.

The attachment and image upload feature is only there as peoplerequested it, but I would recommend NOT to use if security is apriority as it does mean you have to set write permissions etc. on thefolder where the files are uploaded, as well as a number of othersecurity issues.
]]> Thu, 25 Nov 2004 14:40:55 +0000 https://forums.webwiz.net/securityholes-in-attachments_topic12701_post70319.html#70319 https://forums.webwiz.net/securityholes-in-attachments_topic12701_post70317.html#70317 Author: BoNo
Subject: 12701
Posted: 25 November 2004 at 1:52pm

Hi there,

regardless of the used upload-method there is a security hole in file-attachments. If I know the download link for a file submitted in a forum I have no regular access (i.g. permissions for me = none) I can download the file without any problems. Because the link is fully shown in the browsers url-bar when downloading (also in i.e. Excel), I have a good chance to get files from other members if I know the filename (maybe an user had access and now his account is deleted, if he knows the links he will have full access to the attachments).

In second, if I upload a file or image and then cancel the posting, the uploaded file remains on the server (garbage).

I'm currently working on my own "workaround" to solve the security issue, using a new table "tblAttachments". If someone has an allready done solution I would be happy to get a message.

]]> Thu, 25 Nov 2004 13:52:27 +0000 https://forums.webwiz.net/securityholes-in-attachments_topic12701_post70317.html#70317