Consensus on Attachment Extensions..

[EXreaction]

I have a question...

Couldn't scripting files(like php) be allowed if, once they are uploaded, their extension was changed, and then when downloaded it was changed back to the default?

I don't think it would be a security threat at all then...

For example, if someone were to try and hack with a php file:

I try to upload a file named hack.php
The name of it gets changed to A.txt (A is the random string that phpBB3 automatically gives it)
Then I try to access it, and I find out it is a txt file, so apache doesn't do anything with it other than display it
Then someone tries to download it and the name gets changed back to hack.php

You could even use something that there isn't any extension for...like make it .aaa(or is there an extension aaa?)

Is there any flaw in that logic?

[_underscore_]

I have a question...

Couldn't scripting files(like php) be allowed if, once they are uploaded, their extension was changed, and then when downloaded it was changed back to the default?

I don't think it would be a security threat at all then...

For example, if someone were to try and hack with a php file:

I try to upload a file named hack.php
The name of it gets changed to A.txt (A is the random string that phpBB3 automatically gives it)
Then I try to access it, and I find out it is a txt file, so apache doesn't do anything with it other than display it
Then someone tries to download it and the name gets changed back to hack.php

Not quite sure on this, anyways, PHPS are fine, and so are a number of archive formats, especially with the "expanded" lists [I am planning to make, anyways] to have even more type-specific archives (like JAR)

You could even use something that there isn't any extension for...like make it .aaa(or is there an extension aaa?)

Is there any flaw in that logic?

Maybe PBA, for phpBB Attachment. Even so, it's not very good to randomly make up your extensions. Who would know an AAA file is phpBB, not that one insurance company (or whatever it is/was)?

[EXreaction]

I have a question...

Couldn't scripting files(like php) be allowed if, once they are uploaded, their extension was changed, and then when downloaded it was changed back to the default?

I don't think it would be a security threat at all then...

For example, if someone were to try and hack with a php file:

I try to upload a file named hack.php
The name of it gets changed to A.txt (A is the random string that phpBB3 automatically gives it)
Then I try to access it, and I find out it is a txt file, so apache doesn't do anything with it other than display it
Then someone tries to download it and the name gets changed back to hack.php

Not quite sure on this, anyways, PHPS are fine, and so are a number of archive formats, especially with the "expanded" lists [I am planning to make, anyways] to have even more type-specific archives (like JAR)

You could even use something that there isn't any extension for...like make it .aaa(or is there an extension aaa?)

Is there any flaw in that logic?

Maybe PBA, for phpBB Attachment. Even so, it's not very good to randomly make up your extensions. Who would know an AAA file is phpBB, not that one insurance company (or whatever it is/was)?

Could name it .exr after me(or you could just name them all .txt if you want, it really doesn't matter as long as apache doesnt do scripting commands with it)!

Well, it wouldn't matter what the extension is on the webserver. Heck it would probably be better to have it all named as one extension, that way if anyone browses the files/ folder(say someone misses uploading the index for the folder) they wouldn't know any file from anywhere else. Plus hotlinking wouldn't work at all! B=0

Nobody will notice it normally anyways. The extensions all get changed back so the users recognize them as the exact thing they uploaded...

[EXreaction]

I just tried hacking it myself...

Changed 78_e74ebcc70376d0de2f0e548975242be1.zip to 78_e74ebcc70376d0de2f0e548975242be1.exr in the phpbb_attachments under the row physical_filename, and in the files/ folder(renamed the file)

It treated it exactly like it does normally, it gave me the right file to download and gave it the correct extension. I tested it with a few images and everything worked exactly the same!

So it should be very easy, all that would need to be done is when it is uploaded give it a different extension...the rest works exactly as usual!

Plus It is NOT possible to hotlink images anymore afterwards!


After looking at it a little myself I would highly reccomend that the developers atleast consider adding the small changes needed. Not only does it remove a huge security vulnerability with allowing uploading of scripts, but it also removes the possibility of hotlinking and stealing bandwidth.
(just make sure everyone sees it)

[Highway of Life]

Hi Ex, got your message... but I think I'm missing something...???

How would a user be able to utilize the 'vulnerablility' (hack it)?

[Yawnster]

As far as I can see the only person who would be able to perform this would be the administrator, thus making it not a vulnerability..

Hmm.. I think your point has substance, but I think that the solution is overworked, all it would require for the users to do this is to upload a file in .txt and then for the downloaders to change it back.. But I definately see the value in this..

Yawnster

[marinedalek]

However, not all users of forums know how to change the file extension, and if they had malicious intent they wouldn't bother anyway. If the extension is changed from php to txt, the server will (in 99% of cases) not execute php in a txt file. So when the file extension is changed automatically on download he user will recieve a php file that hasn't been executed by the server. (stop me if I'm talking gibberish)

[_underscore_]

I just tried hacking it myself...

Changed 78_e74ebcc70376d0de2f0e548975242be1.zip to 78_e74ebcc70376d0de2f0e548975242be1.exr in the phpbb_attachments under the row physical_filename, and in the files/ folder(renamed the file)

It treated it exactly like it does normally, it gave me the right file to download and gave it the correct extension. I tested it with a few images and everything worked exactly the same!

So it should be very easy, all that would need to be done is when it is uploaded give it a different extension...the rest works exactly as usual!

Plus It is NOT possible to hotlink images anymore afterwards!


After looking at it a little myself I would highly reccomend that the developers atleast consider adding the small changes needed. Not only does it remove a huge security vulnerability with allowing uploading of scripts, but it also removes the possibility of hotlinking and stealing bandwidth.
(just make sure everyone sees it)

Another good thing about our current system is that you can have thumbnails/a link to the attached image in a post. With your system, that is impossible.

Also, with this current system you can choose what file types can be used also. This means you can block certain types if they are completely unrelated to your forum.

However, not all users of forums know how to change the file extension, and if they had malicious intent they wouldn't bother anyway. If the extension is changed from php to txt, the server will (in 99% of cases) not execute php in a txt file. So when the file extension is changed automatically on download he user will recieve a php file that hasn't been executed by the server. (stop me if I'm talking gibberish)

Unless of course, the server doesn't bother with extensions, and executes a file based off it's MIME-type and what the file looks like, in which case it would still execute it; thus you have a massive security problem for %1 of your users.

Hi Ex, got your message... but I think I'm missing something...???

How would a user be able to utilize the 'vulnerablility' (hack it)?

The vulnerability is that a user uploads a PHP file, the extension stays, and then they can execute the file.

[Yawnster]

Hi Ex, got your message... but I think I'm missing something...???

How would a user be able to utilize the 'vulnerablility' (hack it)?

The vulnerability is that a user uploads a PHP file, the extension stays, and then they can execute the file.

This is impossible, I believe a number of formats have been hard-coded to not be allowed, PHP, ASP, CGI, JSP, PL I believe are the main one.. (Obviously and variants.. eg.. ASPX etc..)..

So this is in fact impossible to even allow users to upload these formats I believe..

As for the solution to the problem, I think its a solution to a definate problem, but how would this system be adminned? What about if you wish to allow more formats to do this? How would this be done.. I see the problem with it, but personally I think the best solution in this case is not this, but simply by renaming extensions.. (I know very few windows users know how to do this.. But if you are going to be playing with PHP, Perl, ASP etc.. Then a basic understanding of how to rename files successfully should be something we can presume..)

Anyway.. about it.. Yawnster

[lmegliol]

Just read through this article... Did I miss the post where someone confirmed or denied the security issues related to XML attachments? Could someone spell it out? Thanks.