Consensus on Attachment Extensions..

[EXreaction]

Hi Ex, got your message... but I think I'm missing something...???

How would a user be able to utilize the 'vulnerablility' (hack it)?

I guess if it is hardcodded not to allow scripting files already they couldn't(unless a new scripting language comes out and the user allows it without updating to the patest version of phpBB).

If you simply change the file extension you can allow any file you want without any security vulnerability if php or other scripting files are allowed to be uploaded. Plus Hotlinking to images directly, and simply browsing the files/ folder will be useless(someone could download it, but they have no idea what it was, so they are SOL unless they figure out the exact name before hand).

I just tried hacking it myself...

Changed 78_e74ebcc70376d0de2f0e548975242be1.zip to 78_e74ebcc70376d0de2f0e548975242be1.exr in the phpbb_attachments under the row physical_filename, and in the files/ folder(renamed the file)

It treated it exactly like it does normally, it gave me the right file to download and gave it the correct extension. I tested it with a few images and everything worked exactly the same!

So it should be very easy, all that would need to be done is when it is uploaded give it a different extension...the rest works exactly as usual!

Plus It is NOT possible to hotlink images anymore afterwards!


After looking at it a little myself I would highly reccomend that the developers atleast consider adding the small changes needed. Not only does it remove a huge security vulnerability with allowing uploading of scripts, but it also removes the possibility of hotlinking and stealing bandwidth.
(just make sure everyone sees it)

Another good thing about our current system is that you can have thumbnails/a link to the attached image in a post. With your system, that is impossible.

Also, with this current system you can choose what file types can be used also. This means you can block certain types if they are completely unrelated to your forum.

Actually it works just fine. I tried it myself, as long as you change the thumbnail extension to the same as the image(like .exr) it works exactly the same.

Hi Ex, got your message... but I think I'm missing something...???

How would a user be able to utilize the 'vulnerablility' (hack it)?

The vulnerability is that a user uploads a PHP file, the extension stays, and then they can execute the file.

This is impossible, I believe a number of formats have been hard-coded to not be allowed, PHP, ASP, CGI, JSP, PL I believe are the main one.. (Obviously and variants.. eg.. ASPX etc..)..

So this is in fact impossible to even allow users to upload these formats I believe..

As for the solution to the problem, I think its a solution to a definate problem, but how would this system be adminned? What about if you wish to allow more formats to do this? How would this be done.. I see the problem with it, but personally I think the best solution in this case is not this, but simply by renaming extensions.. (I know very few windows users know how to do this.. But if you are going to be playing with PHP, Perl, ASP etc.. Then a basic understanding of how to rename files successfully should be something we can presume..)

Anyway.. about it.. Yawnster

Well, if they changed it to my way they could remove that and allow any file type to be uploaded(as long as the admin wants it of course).

Simply renaming extensions is a good idea for some people, but with windows it is very hard for a non-techy to do(because by default windows hides the file extension). So most people wouldn't know what is going on. Plus you could not do that with images that get thumbnailed or you want viewed on the forums. My way it is possible, and is basically ready to go right away.

The only code that would have to be changed is the naming. You just rename the extension of the original file after it is uploaded. Everything else works exactly the same already.

Try it for yourself. Setup a demo board and upload an image in a thread. Change the physical_filename's extension, and change the name of the file and thumbnail(if there is one) in the files/ folder to match the new extension. You will see that everything works perfectly normal.

I would really like to get Acyd Burn in here and see what he thinks.

[Yawnster]

Hmm.. well I am sure it works, but would the regular user (No Permissions) be able to complete the process.. I think not.. (This is aimed at your bold writing..)

As for extension renaming, the renaming would only take place on certain file formats, scripting languages etc.. And I think its safe to assume that if you can code using PHP, Perl, ASP etc.. Then you already know how to change file extensions..

As for XML, this took me a while to workout. Its all about XSL. You can link to external XSL file, say hosted on http://www.a.tld," target="_blank now the file you uploaded could be on http://www.b.tld" target="_blank and all you have to do is link the XSL from one domain to the next I believe and this would account for the vulnerability.. (However I am unsure if this is possible with XML as its a Strict Markup Language..)

My thoughts.. Yawnster

PS.. Even if the XSL file was uploaded to the same domain, with the way its looking javascript files and embedded javascript could be uploaded to include exploit code.. (Yay for XSS)

[EXreaction]

Hmm.. well I am sure it works, but would the regular user (No Permissions) be able to complete the process.. I think not.. (This is aimed at your bold writing..)

As for extension renaming, the renaming would only take place on certain file formats, scripting languages etc.. And I think its safe to assume that if you can code using PHP, Perl, ASP etc.. Then you already know how to change file extensions..

I don't quite understand. This would all be changed so it automatically changes the extension on all files, and would act the same way it does now. That was just so one of you guys could try it and see for yourself that it would take very little work to change...

True, but I would still say it is better to automatically have them all changed automatically. That way you could allow any type of script or file you wanted without any problems.

[NeoThermic]

Let it be noted that the suggested directory to put in the ACP for uploaded files is one that is not web accessable; then all your comments about hotlinking/vulnerabilities are null and void.

NeoThermic

[EXreaction]

Let it be noted that the suggested directory to put in the ACP for uploaded files is one that is not web accessable; then all your comments about hotlinking/vulnerabilities are null and void.

NeoThermic

Good point, but most people probably wouldn't be able to figure it out let alone think of doing something like that(I didn't even think of that)!

[Highway of Life]

Ex, Re: last post -- I thought it was an option in the ACP... actually, I'm pretty sure it is... I've seen it. Plus, if guest can't download attachments from your board, they would not be able to hotlink it anyways.
Then just disable hotlinking to the attachments directory, wherever that might be.

Also, regarding the renaming of extensions, I'm not quite catching your logic.
As a USER, someone CAN NOT upload an HTML, XML, PERL, PHP etc file, but they COULD rename it to .txt
When the user downloads/view it, it would show as a .txt file, not as a .php (or other) extension, so the user is safe from execution of a script file.
So either I'm reading stuff to fast and missed something, or there is not much of a security issue here... as Yawnster has pretty much vocalized all my arguments, I'll shut up now.

[EXreaction]

Ex, Re: last post -- I thought it was an option in the ACP... actually, I'm pretty sure it is... I've seen it. Plus, if guest can't download attachments from your board, they would not be able to hotlink it anyways.
Then just disable hotlinking to the attachments directory, wherever that might be.

Also, regarding the renaming of extensions, I'm not quite catching your logic.
As a USER, someone CAN NOT upload an HTML, XML, PERL, PHP etc file, but they COULD rename it to .txt
When the user downloads/view it, it would show as a .txt file, not as a .php (or other) extension, so the user is safe from execution of a script file.
So either I'm reading stuff to fast and missed something, or there is not much of a security issue here... as Yawnster has pretty much vocalized all my arguments, I'll shut up now.

Well, atleast in my forums I want guests to be able to download items. Otherwise a lot of people might just leave without registering.

Yes, I know they can rename it themselves, but it is not as easy as uploading a php file(which would be allowed if you have it automatically change the extensions) directly. You could remove the hardcodded file extension blocks then as well...

It isn't really much of a security vulnerability(since I learned it is hardcodded in to not allow it) but it would give users more freedom of allowing them to upload whatever they want without any risk. I don't know if changing guest permissions changes the .htaccess file in the files/ folder not to let anyone view the files or download them(unless it is accessed via phpBB) but renaming the extensions would make everyone browsing it for files be SOL. They wouldn't know what file does what...

[Yawnster]

Extended List Of Extensions...

Black - The current extensions included by default.
Red - Extensions I feel are worthy of entering the list..
Blue - Means I am unsure of the popularity of this extension, whether or not it will be used by enough users..
Green - Unsure of security status..
Orange - Definate No.. Based on any number of factors..
Purple - Not viable in terms of the Internet

Images

• BLEND - Too topic specific
• BMP
• GBH - Too topic specific
• GIF
• GIH - Too topic specific
• JPEG
• JPG
• PAT - Too topic specific
• PNG
• PSD - Too topic specific
• RAW
• SVG
• TGA
• TIF
• TIFF
• XCF - Too topic specific

Archives

• 7Z
• ACE
• ARJ - Not sure if this has enough usage, I understand it is supported by WinZip and WinRaR, but besides that I had never even used or heard of it before..
• BZ2
• BH - Too specific, should be a candidate for admin addition..
• CAB - Too specific, should be a candidate for admin addition..
• DEB - To topic specific, only would affect Linux related forums
• EXE - Security Issues
• GTAR
• GZ
• HA - Too specific, should be a candidate for admin addition..
• JAR - I am guess this would have security implications as the .jar format can be used as an installer I believe..
• LHA - Too specific, should be a candidate for admin addition..
• MSI - Security Issues
• RAR
• RPM - To topic specific, only would affect Linux related forums
• TAR
• TGZ
• TORRENT
• ZIP

Plain Text

• BAT - Security Issues
• C
• CPP
• CSV
• DIZ
• H
• HPP
• HTML - Security Issues
• INI
• JS
• LOG
• MOD - I know that this format is used for phpBB Modifications system, but is also a media format I believe, I do not think its suitable for inclusion into the list as its too specific.
• PL - Security Issues
• PHP - Security Issues
• PHPS
• PY - Security Issues
• SQL - Not sure if this would be good for all forums
• TXT
• XML - Security Issues

Documents

• AI
• DOC
• DOT
• ODG
• ODP
• ODS
• ODT
• PDF
• PPT
• PS
• RTF
• XLS

Media

• M4A
• M4V
• MOV
• MP3
• MP4
• MPEG
• PLS - To my knowledge this is a streaming audio/video extension, I am unsure of the popularity of it, so its a judgement call I guess.
• OGG
• SWF - Use the [flash] BBcode Instead.. Almost identical functionality..
• RM
• WAV
• WMA
• WMV

This is the final list I am going to submit.. Saying that I recommend adding the attachments in red, and evaluating the rest to see if they are suitable..

Enjoy.. Yawnster

EDIT: Report Submitted: http://www.phpbb.com/bugs/viewreport.php?b=4270" target="_blank

[DarsVaeda]

maybe you could add some explanatory text or a link to somewhere (thread or other webpage, downloadpage) that you are able to edit below or next to the text file.
so a possible stupid user who does not know how to handle a specific file can find the apropriate program to use it.
see pic (ignore german text )

[APTX]

I'm just wondering if .wav really is "viable in terms of the Internet".