3.2 & 3.3 Extensions Database 3.2 / 3.3 ⇒ File Upload

[dmzx]

Ehy, it was not my intention to be rude, I'm just trying to understand.

I will PM you with the edits, I will not post it here because its not for the extension to use.

[kaspir]

Consider this, what if two (or more) users try and upload an image, with the same filename? Which does the system keep or rename?

Having said that, if they were not generated filenames, uploaded images would continue overwriting themselves, such as the infamous 'screenshot.png' filename.

Don't mean to jump in or be rude.. just defending good coding!

[martin]

Lets say i got an image and its got a nasty gift inside and its called screenshot-02 and i upload that all i have to do is run yoursitename/ext/dmzx/imageupload/files/screenshot-02.png and bingo your site is mine now if it was auto renamed (given an encrypted name) once it hits the server i know the path but not the name so in one way keeping real names is a bad idea (i can see why you want it just dont understand the logic).

[TheFactor82]

I understand the explanations regarding good coding, and issues related to files overwrites...
But I don't understand security issues for what Martin says:

ok, let's say Martin has an image/file with a nasty gift for my domain. He uploads it with the extension (modified by Dmzx). This is the result:


So, if Martin wants, all what he has to do is run phpbb3/ext/dmzx/fileupload/files/nasty.zip (as shown in the screenshot... The extension gives you the url) and bingo, my site is yours!

But if I leave all the things as they currently are, when Martin uploads his nasty file with the ORIGINAL extension, this is the result:


So, if Martin wants, all what he has to do is run phpbb3/ext/dmzx/fileupload/files/75420c916e7302603baee.zip (as shown in the screenshot... The extension gives you the url) and bingo, my site is yours!

So... Where is the difference? Where is the enhanced security?


Ps for DMZX: your PM works perfectly. It seems not working the ACP control panel (not deleting files in directory) but that's really NOT a problem for me! Thanks a lot for your help!

[kaspir]

Now I'm interested more. Good points by all of you. Renaming uploaded files is just a precautious step for uploading security. Renaming is NOT encrypting or securing. There is much more than that that's needed for it to actually be secure. Such as checking MIME types, which doesn't provide a secure upload all on it's own either. Having said that, there should be several checks in place for allowing uploads.

phpBB software actually hides the actual URL for security, not just change the file name. I do not see this extension do that yet, how hard would that be? I think I could help on this. I mean if yall want help, the code already exists elsewhere! No one should blink at imageupload security if that were to added mates. :)



Found in download/file.php around line#300

Code: Select all

wrap_img_in_html(append_sid($phpbb_root_path . 'download/file.' . $phpEx, 'id=' . $attachment['attach_id']), $attachment['real_filename']);

Line 315

Code: Select all

redirect($phpbb_root_path . $config['upload_path'] . '/' . $attachment['physical_filename']);

For example, my avatar url here is: download/file.php?avatar=2200_1482487561.png
.. And most of us here know, that's NOT where it's actually stored! Or what it was named. This makes life harder for attackers, and is the very point of security.

[nou nou]

So are we saying that these extensions are a huge security hole? Should I not be using these?

[killfrenzy]

This is safe as long as you don't allow any extension like php or etc. It can use for php injection.


Sir dm can you give me too the edits that filename cannot encrypted or renaming. thanks

[kaspir]

So are we saying that these extensions are a huge security hole? Should I not be using these?

No one said that. You are summing up all extensions here in what you said. We are discussing File Upload. As a webmaster, you must understand that nothing is 100% secure (do you watch the media at all?), and anytime you except files to be uploaded on your server (just like clicking email attachments), you alone are opening the door for attackers. We are merely discussing how to add more to secure uploading within this extension.

@ DM, isn't using the phpbb wrap_img_in_html() function a resolution (or an edited version of it)?

[Puchahawa]

The $allowed_extensions is not in the file upload code yet.
Will be in next release.

Hey DM, got any plans for next release on this ext?

[karbiko]

Hi everyone!!

Great ext, dmzx!!

I would like to suggest including any way to avoid multiple loads of a specific user or group ...
I had a stupid, who was loading my personal files to my host, ... until I was persuaded of it

Maybe you could limit the maximum number of uploads per day, or by a certain capacity per user.

And the second issue is that I would like to use this ext too in the quick reply.
Is there any way to do that?

Thanks in advance!!

[dmzx]

First post updated

[ivailo95]

Which is the file i can change the MB ?

[martin]

Files called acp

[ivailo95]

Files called acp

[martin]

What does it say in this image

after giving your self a face slap what does it say in my image

2018-07-07_150930.png