Kunena 7.0.4 Released

The Kunena team has announce the arrival of Kunena 7.0.4 [K 7.0.4] in stable which is now available for download as a native Joomla extension for J! 5.4.x/6.0.x. This version addresses most of the issues that were discovered in K 6.2 / K 6.3 / K 6.4 and issues discovered during the last development stages of K 7.0

Topics that are moved into this category are generally considered to be closed. Users may want to add additional information but these topics should not be resurrected in order to discuss new problems or unrelated matters.

Question Attachment Security Problem

More
14 years 7 months ago #106078 by rgblogs
Attachment Security Problem was created by rgblogs
Hello

I run a private forum that is visible only after logging in. I am using Kunena 1.7 version on joomla 1.5.23

All attachments are uploaded in sitename.com/media/kunena/attachments/...

However, the folder is accessible to all via web browser. Also files can be downloaded by anyone who know the link of the file.

Plz help me how to fix this...
I have no signature :)

Please Log in or Create an account to join the conversation.

More
14 years 7 months ago #106081 by xillibit
Replied by xillibit on topic Re: Attachment Security Problem - Urgent
Hello,

This is the normal behaviour of Kunena, if you don't know the name of files you can't find it. Actually, i don't know a way to prevent that.
I don't provide support by PM, because this can be useful for someone else.

Please Log in or Create an account to join the conversation.

More
14 years 7 months ago #106091 by fxstein
Replied by fxstein on topic Re: Attachment Security Problem - Urgent

rgblogs wrote: Hello

I run a private forum that is visible only after logging in. I am using Kunena 1.7 version on joomla 1.5.23

All attachments are uploaded in sitename.com/media/kunena/attachments/...

However, the folder is accessible to all via web browser. Also files can be downloaded by anyone who know the link of the file.

Plz help me how to fix this...


That is correct and as designed behavior NOT a security problem. The same is true for all other Joomla files on your server. If you know the link to any image or uploaded file within Joomla you can access or download it.

IF you want to protect certain files from certain user groups you will have to look at other download manager solution within the Joomla extension directory.

Hope this helps!
We love stars on the Joomla Extension Directory . :-)

Please Log in or Create an account to join the conversation.

More
14 years 7 months ago #106102 by rgblogs
Replied by rgblogs on topic Re: Attachment Security Problem - Urgent
thanks for the reply

yes, download managers use redirect feature to protect files from being downloadable to guest according to acceess level.

I hope kunena can also add that feature in future.
I have no signature :)

Please Log in or Create an account to join the conversation.

More
14 years 7 months ago #106347 by Matias
Replied by Matias on topic Re: Attachment Security Problem - Urgent
Yes, it's something we have thought of implementing, but until we get more requests on it, other things have higher priority. So please go our front page and click on the right side to add your feature request. And remember to vote on it!

Please Log in or Create an account to join the conversation.

More
14 years 5 months ago #110950 by yoonique[.net]
Replied by yoonique[.net] on topic Re: Attachment Security Problem - Urgent
I also believe this is a security issue. The whole content of a topic should be protected including attachments (if the topic is set for registered users only).

You probably haven't received a lot of requests for this, because pretty much all users assume that atttachments are protected as well. I only discovered this by accident :-)

For example Zoo uses the following code to protect downloads ("hide path behind md5 hashed URLs).

Code:
public function download($check = '') { // init vars $filepath = JPATH_ROOT . '/' .$this->_data->get('file'); $download_mode = $this->_config->get('download_mode'); // check limit if ($this->isDownloadLimitReached()) { header('Content-Type: text/html'); echo JText::_('Download limit reached!'); return; } // trigger on download event $this->app->event->dispatcher->notify($this->app->event->create($this, 'element:download', compact('check'))); // output file if ($download_mode == 1 && is_readable($filepath) && is_file($filepath)) { $this->_data->set('hits', $this->_data->get('hits', 0) + 1); $this->app->filesystem->output($filepath); } else if ($download_mode == 2 && $this->filecheck() == $check && is_readable($filepath) && is_file($filepath)) { $this->_data->set('hits', $this->_data->get('hits', 0) + 1); $this->app->filesystem->output($filepath); } else { header('Content-Type: text/html'); echo JText::_('Invalid file!'); } // save item $this->app->table->item->save($this->getItem()); } public function output($file) { @error_reporting(E_ERROR); $name = basename($file); $type = $this->getContentType($name); $size = @filesize($file); $mod = date('r', filemtime($file)); while (@ob_end_clean()); // required for IE, otherwise Content-disposition is ignored if (ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); } // set header header("Pragma: public"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Expires: 0"); header("Content-Transfer-Encoding: binary"); header('Content-Type: '.$type); header('Content-Disposition: attachment;' .' filename="'.$name.'";' .' modification-date="'.$mod.'";' .' size='.$size.';'); header("Content-Length: ".$size); // set_time_limit doesn't work in safe mode if (!ini_get('safe_mode')) { @set_time_limit(0); } // output file $handle = fopen($file, 'rb'); fpassthru($handle); fclose($handle); } public function filecheck() { $secret = $this->_config->get('secret'); return md5($this->_data->get('file').$secret.date('Y-m-d')); }

Please Log in or Create an account to join the conversation.

Time to create page: 0.324 seconds