Kunena 6.3.0 released

The Kunena team has announce the arrival of Kunena 6.3.0 [K 6.3.0] in stable which is now available for download as a native Joomla extension for J! 4.4.x/5.0.x/5.1.x. This version addresses most of the issues that were discovered in K 6.2 and issues discovered during the last development stages of K 6.3

Topics that are moved into this category are generally considered to be closed. Users may want to add additional information but these topics should not be resurrected in order to discuss new problems or unrelated matters.

Question Attachment Security Problem

More
12 years 7 months ago #1 by rgblogs
Attachment Security Problem was created by rgblogs
Hello

I run a private forum that is visible only after logging in. I am using Kunena 1.7 version on joomla 1.5.23

All attachments are uploaded in sitename.com/media/kunena/attachments/...

However, the folder is accessible to all via web browser. Also files can be downloaded by anyone who know the link of the file.

Plz help me how to fix this...
I have no signature :)

Please Log in or Create an account to join the conversation.

More
12 years 7 months ago #2 by xillibit
Replied by xillibit on topic Re: Attachment Security Problem - Urgent
Hello,

This is the normal behaviour of Kunena, if you don't know the name of files you can't find it. Actually, i don't know a way to prevent that.
I don't provide support by PM, because this can be useful for someone else.

Please Log in or Create an account to join the conversation.

More
12 years 7 months ago #3 by fxstein
Replied by fxstein on topic Re: Attachment Security Problem - Urgent

rgblogs wrote: Hello

I run a private forum that is visible only after logging in. I am using Kunena 1.7 version on joomla 1.5.23

All attachments are uploaded in sitename.com/media/kunena/attachments/...

However, the folder is accessible to all via web browser. Also files can be downloaded by anyone who know the link of the file.

Plz help me how to fix this...


That is correct and as designed behavior NOT a security problem. The same is true for all other Joomla files on your server. If you know the link to any image or uploaded file within Joomla you can access or download it.

IF you want to protect certain files from certain user groups you will have to look at other download manager solution within the Joomla extension directory.

Hope this helps!
We love stars on the Joomla Extension Directory . :-)

Please Log in or Create an account to join the conversation.

More
12 years 7 months ago #4 by rgblogs
Replied by rgblogs on topic Re: Attachment Security Problem - Urgent
thanks for the reply

yes, download managers use redirect feature to protect files from being downloadable to guest according to acceess level.

I hope kunena can also add that feature in future.
I have no signature :)

Please Log in or Create an account to join the conversation.

More
12 years 7 months ago #5 by Matias
Replied by Matias on topic Re: Attachment Security Problem - Urgent
Yes, it's something we have thought of implementing, but until we get more requests on it, other things have higher priority. So please go our front page and click on the right side to add your feature request. And remember to vote on it!

Please Log in or Create an account to join the conversation.

More
12 years 5 months ago #6 by yoonique[.net]
Replied by yoonique[.net] on topic Re: Attachment Security Problem - Urgent
I also believe this is a security issue. The whole content of a topic should be protected including attachments (if the topic is set for registered users only).

You probably haven't received a lot of requests for this, because pretty much all users assume that atttachments are protected as well. I only discovered this by accident :-)

For example Zoo uses the following code to protect downloads ("hide path behind md5 hashed URLs).

Code:
public function download($check = '') { // init vars $filepath = JPATH_ROOT . '/' .$this->_data->get('file'); $download_mode = $this->_config->get('download_mode'); // check limit if ($this->isDownloadLimitReached()) { header('Content-Type: text/html'); echo JText::_('Download limit reached!'); return; } // trigger on download event $this->app->event->dispatcher->notify($this->app->event->create($this, 'element:download', compact('check'))); // output file if ($download_mode == 1 && is_readable($filepath) && is_file($filepath)) { $this->_data->set('hits', $this->_data->get('hits', 0) + 1); $this->app->filesystem->output($filepath); } else if ($download_mode == 2 && $this->filecheck() == $check && is_readable($filepath) && is_file($filepath)) { $this->_data->set('hits', $this->_data->get('hits', 0) + 1); $this->app->filesystem->output($filepath); } else { header('Content-Type: text/html'); echo JText::_('Invalid file!'); } // save item $this->app->table->item->save($this->getItem()); } public function output($file) { @error_reporting(E_ERROR); $name = basename($file); $type = $this->getContentType($name); $size = @filesize($file); $mod = date('r', filemtime($file)); while (@ob_end_clean()); // required for IE, otherwise Content-disposition is ignored if (ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); } // set header header("Pragma: public"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Expires: 0"); header("Content-Transfer-Encoding: binary"); header('Content-Type: '.$type); header('Content-Disposition: attachment;' .' filename="'.$name.'";' .' modification-date="'.$mod.'";' .' size='.$size.';'); header("Content-Length: ".$size); // set_time_limit doesn't work in safe mode if (!ini_get('safe_mode')) { @set_time_limit(0); } // output file $handle = fopen($file, 'rb'); fpassthru($handle); fclose($handle); } public function filecheck() { $secret = $this->_config->get('secret'); return md5($this->_data->get('file').$secret.date('Y-m-d')); }

Please Log in or Create an account to join the conversation.

More
12 years 5 months ago #7 by Matias
Replied by Matias on topic Re: Attachment Security Problem - Urgent
We have planned this feature for some time, but never got time/motivation to implement it. A variation of something like this would work (I would keep unprotected URL as configuration option).

I disagree it being security issue (I wouldn't put sensitive files into forum anyway), but I can understand why other people think that it is. We are not taking any more features into Kunena 1.7, but I hope to get this done for K2.0.

Please Log in or Create an account to join the conversation.

More
12 years 4 months ago #8 by yoonique[.net]
Replied by yoonique[.net] on topic Re: Attachment Security Problem - Urgent
Thanks for your response (just only saw it :-) Understand that it doesn't make it into 1.7. Release 2.0 would be OK :-)

Please Log in or Create an account to join the conversation.

More
12 years 4 months ago #9 by rgblogs
Replied by rgblogs on topic Re: Attachment Security Problem
The problem is people in my forum copy the download link and share the direct link on facebook!

Waiting for 2.0 and hope it has some solution :)
I have no signature :)

Please Log in or Create an account to join the conversation.

More
12 years 3 months ago #10 by hcx
Replied by hcx on topic Re: Attachment Security Problem
I hope that this would allow for motivation
www.zone-h.org/mirror/id/15827000 - my site had been hacked - allegedly it was - Security Testing By:
-=[ AntiDefence BlackHat TEAM ]=- - I had to prevent ALL downloads on my site since this happened - it is quite unfortunate as it is very public - all over the internet public... which in itself was a gift in disguise as I was able to clamp down on my security issues.

Now noone is allowed to download on my site..

I hope you guys can attempt to fix this issue sooner than later. :sick:

Please Log in or Create an account to join the conversation.

Time to create page: 0.592 seconds