Attachments Security...

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: Attachments Security...

Post by EXreaction »

Hmm, I just tried it again, and I found it is easier than ever to do it...all that needs to be changed is this:

Code: Select all

#
# Open
#

includes/functions_upload.php

#
# Find
#

				$this->realname = $prefix . $this->realname . '.' . $this->extension;

#
# Inline, Find
#

 . '.' . $this->extension

#
# Inline, Replace with
# (delete, make sure you don't delete the ; at the end)



#
# Find
#

				$this->realname = $prefix . md5(unique_id()) . '.' . $this->extension;

#
# Inline, Find
#

 . '.' . $this->extension

#
# Inline, Replace with
# (delete, make sure you don't delete the ; at the end)
All the testing I have done with it is great, no problems at all. :mrgreen:

User avatar
Acyd Burn
Posts: 1838
Joined: Tue Oct 08, 2002 5:18 pm
Location: Behind You
Contact:

Re: Attachments Security...

Post by Acyd Burn »

Then try posting real media, windows media or quicktime files or try to utilize the physical download method or try to inject a second extension; also i am not sure if it is possible to force the mime extension to either use the lowest known extension (if you append an unknown one) or by submitting a file with doubled extensions, then only the last would be stripped (for the real name of course).

I can see a few potential problems arising with this change, show-stopper bugs so to say. :)

Image

User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

Re: Attachments Security...

Post by naderman »

With the above method it's not possible to inject an extension or specify the extension as a user at all because an md5 hash is used.

User avatar
Acyd Burn
Posts: 1838
Joined: Tue Oct 08, 2002 5:18 pm
Location: Behind You
Contact:

Re: Attachments Security...

Post by Acyd Burn »

then only the last would be stripped (for the real name of course).


I never said it is possible for the physical name, though might be possible if people decide to also use the real name as the physical name - and some most likely will find the code line to change. :) But even then it is not possible to use more than one extension since doubled extensions should be stripped by the upload class.

Anyway, at the moment i do not see a possibility of using this method without removing windows media streaming and the physical download method.

Image

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: Attachments Security...

Post by EXreaction »

Acyd Burn wrote: Then try posting real media, windows media or quicktime files or try to utilize the physical download method or try to inject a second extension; also i am not sure if it is possible to force the mime extension to either use the lowest known extension (if you append an unknown one) or by submitting a file with doubled extensions, then only the last would be stripped (for the real name of course).

I can see a few potential problems arising with this change, show-stopper bugs so to say. :)


I tried a wmv, and that worked exactly the same...don't have any rm or quicktime files(or know how to make one and get it smaller than 2MB).

I tried the physical download method and well, that did not work the best. :P

Multiple extensions are not a problem, I tried php.php.php.php.php.php.php.php.php.php.php.php.php and it was still 2_8bb1107e0342feb5ca44ffe8e24e1887 :P


EDIT: If you don't want to setup a board to try it yourself, I can set one up with the change on a server of mine and give you FTP and admin access. :)

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: Attachments Security...

Post by EXreaction »

Bump.

Now that Physical Mode has been removed what do you think of implementing this Acyd?

User avatar
Acyd Burn
Posts: 1838
Joined: Tue Oct 08, 2002 5:18 pm
Location: Behind You
Contact:

Re: Attachments Security...

Post by Acyd Burn »

EXreaction wrote: Bump.

Now that Physical Mode has been removed what do you think of implementing this Acyd?


This is already implemented and the reason why the physical mode got removed.

Image

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: Attachments Security...

Post by EXreaction »

Acyd Burn wrote: This is already implemented and the reason why the physical mode got removed.


Wow, I guess I should have tried it first! :mrgreen:

Very, very awesome. 8)

houser
Registered User
Posts: 16
Joined: Sat Oct 14, 2006 9:05 am

Re: Attachments Security...

Post by houser »

Is this change in beta 5?
I am seeing some issues with Safar OSX, as discussed in the supportforum here:
http://www.phpbb.com/phpBB/viewtopic.ph ... chments%2A

I would just like to know what I should be looking for in my testing.

best
Janne A.

Post Reply