Highway of Life wrote: Hi Ex, got your message... but I think I'm missing something...???
How would a user be able to utilize the 'vulnerablility' (hack it)?
I guess if it is hardcodded not to allow scripting files already they couldn't(unless a new scripting language comes out and the user allows it without updating to the patest version of phpBB).
If you simply change the file extension you can allow any file you want without any security vulnerability if php or other scripting files are allowed to be uploaded. Plus Hotlinking to images directly, and simply browsing the files/ folder will be useless(someone could download it, but they have no idea what it was, so they are SOL unless they figure out the exact name before hand).
_underscore_ wrote:EXreaction wrote: I just tried hacking it myself...
Changed 78_e74ebcc70376d0de2f0e548975242be1.zip to 78_e74ebcc70376d0de2f0e548975242be1.exr in the phpbb_attachments under the row physical_filename, and in the files/ folder(renamed the file)
It treated it exactly like it does normally, it gave me the right file to download and gave it the correct extension. I tested it with a few images and everything worked exactly the same!
So it should be very easy, all that would need to be done is when it is uploaded give it a different extension...the rest works exactly as usual!
Plus It is NOT possible to hotlink images anymore afterwards!
After looking at it a little myself I would highly reccomend that the developers atleast consider adding the small changes needed. Not only does it remove a huge security vulnerability with allowing uploading of scripts, but it also removes the possibility of hotlinking and stealing bandwidth.
(just make sure everyone sees it)
Another good thing about our current system is that you can have thumbnails/a link to the attached image in a post. With your system, that is impossible.
Also, with this current system you can choose what file types can be used also. This means you can block certain types if they are completely unrelated to your forum.
Actually it works just fine. I tried it myself, as long as you change the thumbnail extension to the same as the image(like .exr) it works exactly the same.
Yawnster wrote:_underscore_ wrote:Highway of Life wrote: Hi Ex, got your message... but I think I'm missing something...???
How would a user be able to utilize the 'vulnerablility' (hack it)?
The vulnerability is that a user uploads a PHP file, the extension stays, and then they can execute the file.
This is impossible, I believe a number of formats have been hard-coded to not be allowed, PHP, ASP, CGI, JSP, PL I believe are the main one.. (Obviously and variants.. eg.. ASPX etc..)..
So this is in fact impossible to even allow users to upload these formats I believe..
As for the solution to the problem, I think its a solution to a definate problem, but how would this system be adminned? What about if you wish to allow more formats to do this? How would this be done.. I see the problem with it, but personally I think the best solution in this case is not this, but simply by renaming extensions.. (I know very few windows users know how to do this.. But if you are going to be playing with PHP, Perl, ASP etc.. Then a basic understanding of how to rename files successfully should be something we can presume..)
Anyway.. about it.. Yawnster
Well, if they changed it to my way they could remove that and allow any file type to be uploaded(as long as the admin wants it of course).
Simply renaming extensions is a good idea for some people, but with windows it is very hard for a non-techy to do(because by default windows hides the file extension). So most people wouldn't know what is going on. Plus you could not do that with images that get thumbnailed or you want viewed on the forums. My way it is possible, and is basically ready to go right away.
The only code that would have to be changed is the naming. You just rename the extension of the original file after it is uploaded. Everything else works exactly the same already.
Try it for yourself. Setup a demo board and upload an image in a thread. Change the physical_filename's extension, and change the name of the file and thumbnail(if there is one) in the files/ folder to match the new extension. You will see that everything works perfectly normal.
I would really like to get Acyd Burn in here and see what he thinks.