Security-Holes in Attachments
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=12701
Printed Date: 11 April 2026 at 3:02pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Security-Holes in Attachments
Posted By: BoNo
Subject: Security-Holes in Attachments
Date Posted: 25 November 2004 at 1:52pm
Hi there,
regardless of the used upload-method there is a security hole in file-attachments. If I know the download link for a file submitted in a forum I have no regular access (i.g. permissions for me = none) I can download the file without any problems. Because the link is fully shown in the browsers url-bar when downloading (also in i.e. Excel), I have a good chance to get files from other members if I know the filename (maybe an user had access and now his account is deleted, if he knows the links he will have full access to the attachments).
In second, if I upload a file or image and then cancel the posting, the uploaded file remains on the server (garbage).
I'm currently working on my own "workaround" to solve the security issue, using a new table "tblAttachments". If someone has an allready done solution I would be happy to get a message.
|
Replies:
Posted By: WebWiz-Bruce
Date Posted: 25 November 2004 at 2:40pm
Not so much a security hole, just something that you have to accept when using ASP.
If you upload something to a publicly accessible server you just have to accept that it is just that, 'publicly accessible'.
The only way to prevent this is to place a password on the directory the file is uploaded to.
As most people don't have access to the server they can not do this,
and even if they can unless they have access to the server, or
components installed the forums permissions wouldn't be able to grant
them access to that folder.
If you do as you suggest and place the attachments in the database,
this would be a huge performance hit, especially if using Access as the
database size would become very large and full of attachements.
As far as the attachment not deleting when you hit cancel, this again
can not be overcome with ASP alone and is more to do with the upload
component and the way in which the stateless HTTP protocol works.
The attachment and image upload feature is only there as people
requested it, but I would recommend NOT to use if security is a
priority as it does mean you have to set write permissions etc. on the
folder where the files are uploaded, as well as a number of other
security issues.
-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting
|
Posted By: Gullanian
Date Posted: 25 November 2004 at 2:46pm
|
How about the option of uploading into a private folder and streaming the file to users that have legitimate access to the file?
|
Posted By: BoNo
Date Posted: 25 November 2004 at 4:29pm
@-boRg-:
You missunderstood....I didn't want to put the attachments INSIDE the database, I only want put a "reference" to the real path+filename to the file and give the downloading user an ID, which is handled by a download.asp-script, streaming the file as "filename.ext" without the path where it cames from. This would give me the feature to store the files in an area, where a "normal" user never would gain access to (as proposed by Gullanian) over the web.
This would also give the forum the possibility to check the permissions for downloading this file (tlbAttachmend holds Att_ID, Thread_ID and the RealPathToFile) by Thread_ID.
The link would show like href="download.asp?ATID=4" which then checks the permissions for the Thread_ID stored in conjunction with this attachment.
My only problem is about the "garbaged files" when cancelling a posting after uploading.
|
|