FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » Security Leak on Uploads?
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Security Leak on Uploads? [message #32115] Fri, 09 June 2006 11:57 Go to next message
Ryo2023 is currently offline  Ryo2023   Germany
Messages: 8
Registered: May 2006
Karma: 0
Junior Member
It might be too obvious, and too easy.
But it seems to be an Issue.

I tested my Forum and was quite shocked.

When i edit any HTML-File (including Scripting) then rename like test.jpg and upload it as an attachment in the Message-Editor, the Message will be accepted and posted to the forum.

Now if i use IE and click on that link, which shows "test.jpg" the File will be opened and executed !
I tried this with a normal user account.

Now i think it might be a good idea to stop an file being executed. Even plain HTML might be a phishing risk.

I configured all Forums to zero - upload limit.

[Updated on: Fri, 09 June 2006 12:02]

Report message to a moderator

Re: Security Leak on Uploads? [message #32118 is a reply to message #32115] Fri, 09 June 2006 13:48 Go to previous messageGo to next message
Ryo2023 is currently offline  Ryo2023   Germany
Messages: 8
Registered: May 2006
Karma: 0
Junior Member
I heard you has been informed by an other person and already leave him a response.

So... you should write something here about it, too.

We discussed that point in another Forum, and this User now trying to blame FUDforum on public.

I'm wondering that you did not first response to this message or leave me at last a personal note.

I'm now treat this Problem as critical.
Re: Security Leak on Uploads? [message #32120 is a reply to message #32118] Fri, 09 June 2006 14:37 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
This is a bug in Internet Explorer, that causes it to parse images with invalid mime type as HTML. A fix for this bug was already applied to CVS and will be a part of the next FUDforum release.

FUDforum Core Developer
Re: Security Leak on Uploads? [message #32233 is a reply to message #32115] Thu, 15 June 2006 19:44 Go to previous message
cooler is currently offline  cooler   Belgium
Messages: 3
Registered: June 2006
Karma: 0
Junior Member
look in this site youll find all your troubles in it just post it as a req then he will post you the answer that admin knows so much
really

site: http://forumer.6x.to
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: custom avatar upload works, but for some users the link is missing a / so no image is shown
Next Topic: No User CP tab - V2.7.5
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 23 10:31:22 GMT 2024

Total time taken to generate the page: 0.02751 seconds