FUDforum: Bug Reports » Security Leak on Uploads?

Home » FUDforum Development » Bug Reports » Security Leak on Uploads?

Show: Today's Messages :: Polls :: Message Navigator

Security Leak on Uploads? [message #32115]

Fri, 09 June 2006 11:57

Ryo2023

Messages: 8
Registered: May 2006

Karma:

Junior Member

It might be too obvious, and too easy.
But it seems to be an Issue.

I tested my Forum and was quite shocked.

When i edit any HTML-File (including Scripting) then rename like test.jpg and upload it as an attachment in the Message-Editor, the Message will be accepted and posted to the forum.

Now if i use IE and click on that link, which shows "test.jpg" the File will be opened and executed !
I tried this with a normal user account.

Now i think it might be a good idea to stop an file being executed. Even plain HTML might be a phishing risk.

I configured all Forums to zero - upload limit.

[Updated on: Fri, 09 June 2006 12:02]

Report message to a moderator

[Message index]

		Security Leak on Uploads? By: Ryo2023 on Fri, 09 June 2006 11:57
		Re: Security Leak on Uploads? By: Ryo2023 on Fri, 09 June 2006 13:48
		Re: Security Leak on Uploads? By: Ilia on Fri, 09 June 2006 14:37
		Re: Security Leak on Uploads? By: cooler on Thu, 15 June 2006 19:44

Previous Topic:	custom avatar upload works, but for some users the link is missing a / so no image is shown
Next Topic:	No User CP tab - V2.7.5

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Nov 22 09:32:23 GMT 2024

Total time taken to generate the page: 0.04526 seconds