×
Kunena 5.2 Beta 1 Released (24 Sep 2020)

The Kunena team is thrilled to announce the first public beta release of Kunena 5.2, a native Joomla extension for Joomla 3.9. This is a development release and should be only be used for testing; this version is not recommended for live websites at this stage.

The purpose of this release is to encourage testing by downloading, installing and identifying any problems or shortcomings that people may discover. K 5.2.0 B1 is stable and we are aware that people will discover defects. We encourage you to use the forum to report defects, as soon as they are discovered, so that the development team can work through the problems before the release of K 5.1 as a stable product. Reporting defects does not mean that the problems can or will be fixed. The Kunena team is looking forward to hearing your feedback on how well we have achieved our design goals.

Question security for attachments

More
4 years 1 week ago - 4 years 1 week ago #1 by davood71
Hi
my using from kunena version : 5.0.2

in this kunena, when enabled protect attachment, good working and no problem and good access with (not access with Guest to attachment)---> this is good setting for kunena
but I've noticed something
when protect attach --> yes
load any files (images,txt,or any files) with link ---> localhost/forum/attachment/1 or anu number
for example :
localhost/forum/attachment/1
localhost/forum/attachment/2
localhost/forum/attachment/3
localhost/forum/attachment/300
localhost/forum/attachment/1000
or any number id
this is low security, becuase users can be guess and if set 1 to last number, can download or see any attachments
if enabled protect attachment, in database (table attachment) set filename (for example) =4861650dafeb90c197212d5c90e60a7b
i think if load attachments with basename (after change with kunena), good and high security
for example :
localhost/forum/attachment/3 ----> localhost/forum/attachment/4861650dafeb90c197212d5c90e60a7b
localhost/forum/attachment/4 ---->localhost/forum/attachment/d550dafeb86190c19722d5c9456dwa5d
so , users can not guess :)
is it possible?
In your opinion, if load with id number from table attachment, is low security?
please answer me
Thank you kunena
Last edit: 4 years 1 week ago by davood71.

Please Log in or Create an account to join the conversation.

More
4 years 6 days ago - 4 years 6 days ago #2 by davood71
Replied by davood71 on topic security for attachments
Hi
excuse me for open again topic
please read this topic
when protect attach --> yes
open attachment : localhost/forum/attachment/1 until localhost/forum/attachment/(ID Datbase)
because this open with ID table (kunena attachment), no low security? i thinks becuase open with ID table from database, maybe exist Vulnerability SQL injection (because open with ID attahment and Is not controlled link)
I am right?
I am worried, that exist Vulnerability SQL injection and load with this link localhost/forum/attachment/152 ===>> security is low
please answer me
Tahnk you for answer
i love kunena , very good component
Last edit: 4 years 6 days ago by davood71.

Please Log in or Create an account to join the conversation.

  • Not Allowed: to create new topic.
  • Not Allowed: to reply.
  • Not Allowed: to edit your message.
Time to create page: 0.066 seconds