Kunena 7.0.5 & Kunena 6.4.11 – Security Updates Released
The Kunena team has announce the arrival of Kunena 7.0.5 [K 7.0.5] in stable which is now available for download as a native Joomla extension for J! 5.4.x/6.0.x. This version addresses most of the issues that were discovered in K 6.2 / K 6.3 / K 6.4 and issues discovered during the last development stages of K 7.0.
The Kunena team is also pleased to announce the eleventh version of Kunena 6.4, a native Joomla extension for Joomla! 5.0, 5.1, 5.2, 5.3, 5.4 and 6.0.
Question Full path disclosure downloading attachments
10 years 10 months ago #166919
by Texpaok
Replied by Texpaok on topic Full path disclosure downloading attachments
Hi Corinne,
It seems this only happens when you edit forum entries.
This is my workaround; it's a bit technical:
1. Make a backup. We have to modify some database fields, so the entire site could break.
2. Using phpmyadmin (or similar) go to kunena_attachments table.
3. Search something relevant of your path (for example, media) in the filename_real field:
4. Results are the attachments with full path. Just edit each one deleting the full path and keeping the file name.
For example, in your case you should have an entry with media/kunena/attachments/Dienstleistungskatalog_eines_Versicherungsbrokers.pdf/Dienstleistungskatalog_eines_Versicherungsbrokers.pdf and after editing you should have only Dienstleistungskatalog_eines_Versicherungsbrokers.pdf
Obviously, you have to do this every time you edit a forum entry while a patch is provided.
If you don't know how to do it, I can give you a hand. Just use the contact form of my website and I will help you.
Regards,
Jose
It seems this only happens when you edit forum entries.
This is my workaround; it's a bit technical:
1. Make a backup. We have to modify some database fields, so the entire site could break.
2. Using phpmyadmin (or similar) go to kunena_attachments table.
3. Search something relevant of your path (for example, media) in the filename_real field:
4. Results are the attachments with full path. Just edit each one deleting the full path and keeping the file name.
For example, in your case you should have an entry with media/kunena/attachments/Dienstleistungskatalog_eines_Versicherungsbrokers.pdf/Dienstleistungskatalog_eines_Versicherungsbrokers.pdf and after editing you should have only Dienstleistungskatalog_eines_Versicherungsbrokers.pdf
Obviously, you have to do this every time you edit a forum entry while a patch is provided.
If you don't know how to do it, I can give you a hand. Just use the contact form of my website and I will help you.
Regards,
Jose
Please Log in or Create an account to join the conversation.
- webuniverse
-
- Offline
- New Member
-
10 years 10 months ago - 10 years 10 months ago #166921
by webuniverse
Replied by webuniverse on topic Full path disclosure downloading attachments
Hello Jose
Thanks for your solution, but is not exactly like this.
I made to printscreens from a wrong and a correct entry.
The "folder" entry is not correct...
OLD: /media/kunena/attachments/documentname.pdf
Correct: media/kunena/attachments
Maybe i can make a database replace from all entries with ".pdf" to /media/kunena/attachments
i will try this :silly:
Thank you for your help
Corinne
Thanks for your solution, but is not exactly like this.
I made to printscreens from a wrong and a correct entry.
The "folder" entry is not correct...
OLD: /media/kunena/attachments/documentname.pdf
Correct: media/kunena/attachments
Maybe i can make a database replace from all entries with ".pdf" to /media/kunena/attachments
i will try this :silly:
Thank you for your help
Corinne
Last edit: 10 years 10 months ago by webuniverse.
Please Log in or Create an account to join the conversation.
- webuniverse
-
- Offline
- New Member
-
10 years 10 months ago #166923
by webuniverse
Replied by webuniverse on topic Full path disclosure downloading attachments
I have some path there are correct... so i need only the .pdf's
If somebody else have the same problem here my Script
UPDATE `xxx_kunena_attachments` SET `folder` = "media/kunena/attachments" WHERE `folder` LIKE "%.pdf"
Now everything works okay
Have a nice Day
Corinne
If somebody else have the same problem here my Script
UPDATE `xxx_kunena_attachments` SET `folder` = "media/kunena/attachments" WHERE `folder` LIKE "%.pdf"
Now everything works okay
Have a nice Day
Corinne
Please Log in or Create an account to join the conversation.
Time to create page: 0.254 seconds