Web Wiz - Green Windows Web Hosting - Celebrating 25 Years!
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - Security-Holes in Attachments
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Security-Holes in Attachments
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
BoNo View Drop Down
Newbie
Newbie


Joined: 25 November 2004
Status: Offline
Points: 2 		Post Options Post Options   Thanks (0) Thanks(0)   Quote BoNo Quote  Post ReplyReply Direct Link To This Post Topic: Security-Holes in Attachments
    Posted: 25 November 2004 at 1:52pm
Hi there,

regardless of the used upload-method there is a security hole in file-attachments. If I know the download link for a file submitted in a forum I have no regular access (i.g. permissions for me = none) I can download the file without any problems. Because the link is fully shown in the browsers url-bar when downloading (also in i.e. Excel), I have a good chance to get files from other members if I know the filename (maybe an user had access and now his account is deleted, if he knows the links he will have full access to the attachments).

In second, if I upload a file or image and then cancel the posting, the uploaded file remains on the server (garbage).

I'm currently working on my own "workaround" to solve the security issue, using a new table "tblAttachments". If someone has an allready done solution I would be happy to get a message.
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 25 November 2004 at 2:40pm
Not so much a security hole, just something that you have to accept when using ASP.

If you upload something to a publicly accessible server you just have to accept that it is just that, 'publicly accessible'.

The only way to prevent this is to place a password on the directory the file is uploaded to.

As most people don't have access to the server they can not do this, and even if they can unless they have access to the server, or components installed the forums permissions wouldn't be able to grant them access to that folder.

If you do as you suggest and place the attachments in the database, this would be a huge performance hit, especially if using Access as the database size would become very large and full of attachements.

As far as the attachment not deleting when you hit cancel, this again can not be overcome with ASP alone and is more to do with the upload component and the way in which the stateless HTTP protocol works.

The attachment and image upload feature is only there as people requested it, but I would recommend NOT to use if security is a priority as it does mean you have to set write permissions etc. on the folder where the files are uploaded, as well as a number of other security issues.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
Gullanian View Drop Down
Senior Member
Senior Member
Avatar

Joined: 04 January 2002
Location: England
Status: Offline
Points: 4373 		Post Options Post Options   Thanks (0) Thanks(0)   Quote Gullanian Quote  Post ReplyReply Direct Link To This Post Posted: 25 November 2004 at 2:46pm
How about the option of uploading into a private folder and streaming the file to users that have legitimate access to the file?
Back to Top
BoNo View Drop Down
Newbie
Newbie


Joined: 25 November 2004
Status: Offline
Points: 2 		Post Options Post Options   Thanks (0) Thanks(0)   Quote BoNo Quote  Post ReplyReply Direct Link To This Post Posted: 25 November 2004 at 4:29pm
@-boRg-:
You missunderstood....I didn't want to put the attachments INSIDE the database, I only want put a "reference" to the real path+filename to the file and give the downloading user an ID, which is handled by a download.asp-script, streaming the file as "filename.ext" without the path where it cames from. This would give me the feature to store the files in an area, where a "normal" user never would gain access to (as proposed by Gullanian) over the web.
This would also give the forum the possibility to check the permissions for downloading this file (tlbAttachmend holds Att_ID, Thread_ID and the RealPathToFile) by Thread_ID.
The link would show like href="download.asp?ATID=4" which then checks the permissions for the Thread_ID stored in conjunction with this attachment.

My only problem is about the "garbaged files" when cancelling a posting after uploading.
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.