Attachment security issue..

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
JStrese
Registered User
Posts: 6
Joined: Sun May 10, 2009 9:01 am

Attachment security issue..

Post by JStrese » Sun May 10, 2009 9:05 am

Hey there,

A user recently pointed out a potential security issue with our 3.0.4 installation. It appears as if anyone, registered or not, can view any attachment just by replacing the attachment ID with a random ID, and getting lucky. Now that doesn't bother me really, but what does bother me is that every attachment is susceptible to this. Including attachments on hidden/staff boards. Mind you, I looked at the download file and it appears that the only way to circumvent this is to add a forum password -- but why should we have to do this, if we set forum permissions?

This is an issue and needs to be looked into :(

-Jason
Last edited by Paul on Sun May 10, 2009 9:23 am, edited 1 time in total.
Reason: Topic icon changed

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25485
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Attachment security issue..

Post by Paul » Sun May 10, 2009 9:09 am

As you see in this code block there is a auth check done:

Code: Select all

	if (!$attachment['in_message'])
	{
		//
		$sql = 'SELECT p.forum_id, f.forum_password, f.parent_id
			FROM ' . POSTS_TABLE . ' p, ' . FORUMS_TABLE . ' f
			WHERE p.post_id = ' . $attachment['post_msg_id'] . '
				AND p.forum_id = f.forum_id';
		$result = $db->sql_query_limit($sql, 1);
		$row = $db->sql_fetchrow($result);
		$db->sql_freeresult($result);

		// Global announcement?
		$f_download = (!$row) ? $auth->acl_getf_global('f_download') : $auth->acl_get('f_download', $row['forum_id']);

		if ($auth->acl_get('u_download') && $f_download)
		{
			if ($row && $row['forum_password'])
			{
				// Do something else ... ?
				login_forum_box($row);
			}
		}
		else
		{
			trigger_error('SORRY_AUTH_VIEW_ATTACH');
		}
	}
	else
	{
		$row['forum_id'] = false;
		if (!$auth->acl_get('u_pm_download'))
		{
			header('HTTP/1.0 403 Forbidden');
			trigger_error('SORRY_AUTH_VIEW_ATTACH');
		}
So if you have set up the permissions correctly, its impossible what you said :)
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Re: Attachment security issue..

Post by karlsemple » Sun May 10, 2009 9:10 am

You have obviously got the forum permissions wrong on your board, if you dont have the permissions to access or view attachments in a forum you should see the message
You are not authorised to download this attachment.
Double check your forum permissions :)
Image

JStrese
Registered User
Posts: 6
Joined: Sun May 10, 2009 9:01 am

Re: Attachment security issue..

Post by JStrese » Sun May 10, 2009 9:11 am

I'll look into our permissions, thanks for alerting me of that..

I never remember seeing a permission for this though :P

User avatar
karlsemple
Former Team Member
Posts: 39802
Joined: Mon Nov 01, 2004 8:54 am
Location: Hereford, UK
Contact:

Re: Attachment security issue..

Post by karlsemple » Sun May 10, 2009 9:13 am

Admin control panel -> permissions tab -> forum based permissions -> forum permissions

Select the forum to set permissions for and then select the groups or users to set permissions for.

Then on the right of each row for each forum you are setting permissions for you can click the "advanced permissions" link to see what permissions you are setting :)
Image

JStrese
Registered User
Posts: 6
Joined: Sun May 10, 2009 9:01 am

Re: Attachment security issue..

Post by JStrese » Sun May 10, 2009 9:21 am

Thank you guys so much, I've fixed the issue now :D

You may close this thread if you want, but thank you guys :)

Ciao121
Registered User
Posts: 239
Joined: Wed Jan 28, 2004 1:08 pm

Re: Attachment security issue..

Post by Ciao121 » Mon Mar 28, 2016 9:19 am

I'm writing in this old topic because I'm wrking on an old phpbb install and I encountered a similar problem.
Logged in users (having acl_get('u_pm_download') set to true) can view attachment in private messages (also in those not sent to them) by using a random file ID.
ie:
http://www.mysite.com/download/file.php?id=20266
file is in a private message sent form user 123 to user 124
I can view file if logged as another user.

Des anybody know if this is solved in newer phpbb version (I triend to browse the code but I cannot find if it's solved or not).

Thank you!
Apri il tuo forum gratuito in 1 minuto.

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50916
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Attachment security issue..

Post by stevemaury » Mon Mar 28, 2016 11:45 am

This was not an issue 8 years ago, and is not one now. If permissions are proper, this is impossible, as the code Paul cites indicates.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

User avatar
RMcGirr83
Recognised Extension Developer
Posts: 21034
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr
Contact:

Re: Attachment security issue..

Post by RMcGirr83 » Mon Mar 28, 2016 12:58 pm

stevemaury wrote:This was not an issue 8 years ago, and is not one now. If permissions are proper, this is impossible, as the code Paul cites indicates.
Steve, he is talking about PMs. The auth check for that is this if (!$auth->acl_get('u_pm_download')) I don't believe the system checks to ensure that the user who is viewing the attachment is the same user that was sent the attachment in a PM.
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions
Appreciate the extensions/mods/support then buy me a beer
All requests for support via PM will be ignored

User avatar
AmigoJack
Registered User
Posts: 5656
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Attachment security issue..

Post by AmigoJack » Mon Mar 28, 2016 1:20 pm

As per /docs/CHANGELOG.html this was fixed in 3.0.RC8 already, which means you're dealing with 3.0.0 or a similar old release.

3.0.14 checks against this:

Code: Select all

        // Check if the attachment is within the users scope...
        $sql = 'SELECT user_id, author_id
            FROM ' . PRIVMSGS_TO_TABLE . '
            WHERE msg_id = ' . $attachment['post_msg_id'];
        $result = $db->sql_query($sql);

        $allowed = false;
        while ($user_row = $db->sql_fetchrow($result))
        {
            if ($user->data['user_id'] == $user_row['user_id'] || $user->data['user_id'] == $user_row['author_id'])
            {
                $allowed = true;
                break;
            }
        }
        $db->sql_freeresult($result);

        if (!$allowed)
        {
            send_status_line(403, 'Forbidden');
            trigger_error('ERROR_NO_ATTACHMENT');
        } 
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Ciao121
Registered User
Posts: 239
Joined: Wed Jan 28, 2004 1:08 pm

Re: Attachment security issue..

Post by Ciao121 » Mon Mar 28, 2016 8:57 pm

AmigoJack wrote:As per /docs/CHANGELOG.html this was fixed in 3.0.RC8 already, which means you're dealing with 3.0.0 or a similar old release.
Yes you are right! I'm dealing with a very old phpbb setup. Now I have found the right changelog entry!

Thank for your assistance!
Apri il tuo forum gratuito in 1 minuto.

Locked

Return to “[3.0.x] Support Forum”