attachment mod and security...

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Bunnie
Registered User
Posts: 6
Joined: Tue Nov 30, 2004 8:27 pm
Contact:

Re: attachment mod and security...

Post by Bunnie »

Sonic McTails wrote:Why not just have PHPBB change the file name it stores it to something totally bogus and random (like php_824113.pbb), so no expilots could be uploaded since the webserver would have to be setup to phrase pbb files as PHPBB. The attachments could store the orginial file name, and then when downloading one, it automatically changes the name on the fly.
This also makes bandwidth leeching of large files harder since they wouold have to guess the filename.
Yea, that's the best idea if you ask me. Just use the Content-Disposition header to 'rename' the file for the client.
Rawr

Graham
Registered User
Posts: 1304
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK

Re: attachment mod and security...

Post by Graham »

It's worth noting that the actual "filename" part of the name is pretty much random already when it's stored on disk, but the extension itself does stay the same.
"So Long, and Thanks for All the Fish"

Graham
Eeek, a blog!

JPortal
Registered User
Posts: 117
Joined: Sun Nov 28, 2004 10:42 pm

Re: attachment mod and security...

Post by JPortal »

Why not just change the extension too? In the case that something goes wrong with server setttings and someone gets access to the list of files, there is a possibility that malicious actions could take place. Especially if there aren't hordes of PHP files.

The filenames should just be MD5'd, IMHO. That way, the server won't even parse the files if someone gets access to them.

Sonic McTails
Registered User
Posts: 5
Joined: Thu Dec 09, 2004 10:58 pm

Re: attachment mod and security...

Post by Sonic McTails »

JPortal wrote:Why not just change the extension too? In the case that something goes wrong with server setttings and someone gets access to the list of files, there is a possibility that malicious actions could take place. Especially if there aren't hordes of PHP files.

The filenames should just be MD5'd, IMHO. That way, the server won't even parse the files if someone gets access to them.
I said using the same extension, although MD5 hashs would be perfect.

JPortal
Registered User
Posts: 117
Joined: Sun Nov 28, 2004 10:42 pm

Re: attachment mod and security...

Post by JPortal »

Sonic McTails wrote:
JPortal wrote:Why not just change the extension too? In the case that something goes wrong with server setttings and someone gets access to the list of files, there is a possibility that malicious actions could take place. Especially if there aren't hordes of PHP files.

The filenames should just be MD5'd, IMHO. That way, the server won't even parse the files if someone gets access to them.
I said using the same extension, although MD5 hashs would be perfect.
Actually, on second thought, they wouldn't be *perfect*, seeing as anyone with simple PHP knowledge could get the MD5 hash of the filename. But it would be perfect with a little tweaking - grab a random string from the MD5'd file name (say, 7 or 8 characters) and then randomly grab a 7-8 character string from md5(time())

Something like this...

Code: Select all

$file_md5 = md5($filename);
$time_md5 = md5(time());
$chunk_length = 7;
$start_pos = rand(0, (32 - $chunk_length));
$real_filename = substr($file_md5, $start_pos, $chunk_length) . substr($time_md5, $start_pos, $chunk_length);
Eh? Eh? :mrgreen:

User avatar
mansuetus
Registered User
Posts: 130
Joined: Sun Dec 07, 2003 8:02 pm
Location: Paris, France
Contact:

Re: attachment mod and security...

Post by mansuetus »

On phpbb 2.0.x with the attach mod, we can now REALLY know the file name... and nobody seems to have noticed a very high risk issue.

What do 'devs' think about that ?
Petite publicité pour mon site : on présente des horoscopes qui tuent, on propose des tests,
et si tu cherches bien, tu verras même un phpBB :-)
viens sur spontex.org !

markus_petrux
Registered User
Posts: 376
Joined: Fri Jun 18, 2004 10:58 pm
Location: Girona, Catalunya (Spain)
Contact:

Re: attachment mod and security...

Post by markus_petrux »

For those not running a decent webserver with the ability to deny world access to a directory.... lol

...it would work if the upload directory could be set off the document root.

JPortal
Registered User
Posts: 117
Joined: Sun Nov 28, 2004 10:42 pm

Re: attachment mod and security...

Post by JPortal »

mansuetus wrote:On phpbb 2.0.x with the attach mod, we can now REALLY know the file name... and nobody seems to have noticed a very high risk issue.

What do 'devs' think about that ?
Anyone sane running the attachments mod has disabled .php extensions.

User avatar
mansuetus
Registered User
Posts: 130
Joined: Sun Dec 07, 2003 8:02 pm
Location: Paris, France
Contact:

Re: attachment mod and security...

Post by mansuetus »

social enginering ...
"Hey, Mister Admin, I want to share my knowledge about php with everybody... please allow .php extension as a text format, it will enable everyone to see my work !"
Petite publicité pour mon site : on présente des horoscopes qui tuent, on propose des tests,
et si tu cherches bien, tu verras même un phpBB :-)
viens sur spontex.org !

Sonic McTails
Registered User
Posts: 5
Joined: Thu Dec 09, 2004 10:58 pm

Re: attachment mod and security...

Post by Sonic McTails »

mansuetus wrote:social enginering ...
"Hey, Mister Admin, I want to share my knowledge about php with everybody... please allow .php extension as a text format, it will enable everyone to see my work !"
You'd be suprised how many people do it. Also .php is sometimes used for dymanic images (using the gd module) so their are legit reasons why someone who doesn't understand the full considers of using PHP might enable it

Post Reply