FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » Security Leak on Uploads?
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
Security Leak on Uploads? [message #32115] Fri, 09 June 2006 07:57 Go to next message
Ryo2023 is currently offline  Ryo2023   Germany
Messages: 8
Registered: May 2006
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
It might be too obvious, and too easy.
But it seems to be an Issue.

I tested my Forum and was quite shocked.

When i edit any HTML-File (including Scripting) then rename like test.jpg and upload it as an attachment in the Message-Editor, the Message will be accepted and posted to the forum.

Now if i use IE and click on that link, which shows "test.jpg" the File will be opened and executed !
I tried this with a normal user account.

Now i think it might be a good idea to stop an file being executed. Even plain HTML might be a phishing risk.

I configured all Forums to zero - upload limit.

[Updated on: Fri, 09 June 2006 08:02]

Report message to a moderator

Re: Security Leak on Uploads? [message #32118 is a reply to message #32115] Fri, 09 June 2006 09:48 Go to previous messageGo to next message
Ryo2023 is currently offline  Ryo2023   Germany
Messages: 8
Registered: May 2006
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
I heard you has been informed by an other person and already leave him a response.

So... you should write something here about it, too.

We discussed that point in another Forum, and this User now trying to blame FUDforum on public.

I'm wondering that you did not first response to this message or leave me at last a personal note.

I'm now treat this Problem as critical.
Re: Security Leak on Uploads? [message #32120 is a reply to message #32118] Fri, 09 June 2006 10:37 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
This is a bug in Internet Explorer, that causes it to parse images with invalid mime type as HTML. A fix for this bug was already applied to CVS and will be a part of the next FUDforum release.

FUDforum Core Developer
Re: Security Leak on Uploads? [message #32233 is a reply to message #32115] Thu, 15 June 2006 15:44 Go to previous message
cooler is currently offline  cooler   Belgium
Messages: 3
Registered: June 2006
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
look in this site youll find all your troubles in it just post it as a req then he will post you the answer that admin knows so much
really

site: http://forumer.6x.to
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: custom avatar upload works, but for some users the link is missing a / so no image is shown
Next Topic: No User CP tab - V2.7.5
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Dec 16 23:19:30 EST 2017

Total time taken to generate the page: 0.00818 seconds