FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » Security Leak on Uploads?
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Return to the default flat view Create a new topic Submit Reply
Security Leak on Uploads? [message #32115] Fri, 09 June 2006 07:57 Go to previous message
Ryo2023 is currently offline  Ryo2023   Germany
Messages: 8
Registered: May 2006
Karma:
Junior Member
add to buddy list
ignore all messages by this user
It might be too obvious, and too easy.
But it seems to be an Issue.

I tested my Forum and was quite shocked.

When i edit any HTML-File (including Scripting) then rename like test.jpg and upload it as an attachment in the Message-Editor, the Message will be accepted and posted to the forum.

Now if i use IE and click on that link, which shows "test.jpg" the File will be opened and executed !
I tried this with a normal user account.

Now i think it might be a good idea to stop an file being executed. Even plain HTML might be a phishing risk.

I configured all Forums to zero - upload limit.

[Updated on: Fri, 09 June 2006 08:02]

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Previous Topic: custom avatar upload works, but for some users the link is missing a / so no image is shown
Next Topic: No User CP tab - V2.7.5
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Feb 26 23:12:28 EST 2020

Total time taken to generate the page: 0.03184 seconds