Can not open attached file directly with I.E. without saving

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Jan Christensen
Registered User
Posts: 140
Joined: Sun May 16, 2004 10:42 am
Location: Denmark

Re: Can not open attached file directly with I.E. without sa

Post by Jan Christensen » Fri Jun 04, 2010 9:47 pm

Well if this really was a secure issue in phpBB3 how come no answered this yet? It should be a walk in the park to answer this then? Surely I dont want to risk compromising any security settings, so could you please let me know if I do so (or dont) by using the precious codechange suggestion?. :)
Jan Christensen • Danish language package author • Olympus DK Team

Pit$Bull
Former Team Member
Posts: 23099
Joined: Sat Dec 02, 2006 4:08 pm
Name: Can't Remember

Re: Can not open attached file directly with I.E. without sa

Post by Pit$Bull » Fri Jun 04, 2010 11:38 pm

This is the best answer you are going to get. I quote the phpBB3 developer.
Kellanved wrote:A stated in the code, it's a necessary security precaution - the way internet explorer handles files would create a XSS issue otherwise. As such, it is an IE issue - partially solved in ie8, hopefully solved in ie9.

Jan Christensen
Registered User
Posts: 140
Joined: Sun May 16, 2004 10:42 am
Location: Denmark

Re: Can not open attached file directly with I.E. without sa

Post by Jan Christensen » Sat Jun 05, 2010 12:55 am

The best answer?

Its the very statement my question is about - I ask how this is a security issue, and you tell me the same statement is the best answer Im gonna get, you must be joking?

Seriously you do not expect me or others to blindly trust anything we read without asking questions and debate stuff?

I would say that the question about how this can be a security risk is very important, so maybe we can have a dialog about this and some serious support maybe?
Jan Christensen • Danish language package author • Olympus DK Team

Pit$Bull
Former Team Member
Posts: 23099
Joined: Sat Dec 02, 2006 4:08 pm
Name: Can't Remember

Re: Can not open attached file directly with I.E. without sa

Post by Pit$Bull » Sat Jun 05, 2010 1:06 am

I'm serious as death. This is phpBB3 support forum not a discussion forum.
You were given an answer by a phpBB3 developer and if your unable to accept this then contact him.
If you would like to discuss the issue than take it to the phpBB discussion forum. http://www.phpbb.com/community/viewforum.php?f=64

Thank you.

stokerpiller
Registered User
Posts: 1934
Joined: Wed Feb 28, 2007 8:06 pm

Re: Can not open attached file directly with I.E. without sa

Post by stokerpiller » Sat Jun 05, 2010 3:49 am

I actually have the exact same problem using Ubuntu/10.04 (lucid) Firefox/3.6.3
I am done with phpBB

User avatar
Sajaki
Registered User
Posts: 1354
Joined: Mon Mar 02, 2009 1:41 pm
Name: Andreas
Contact:

Re: Can not open attached file directly with I.E. without sa

Post by Sajaki » Sat Jun 05, 2010 3:14 pm

Jan Christensen wrote:I would say that the question about how this can be a security risk is very important, so maybe we can have a dialog about this and some serious support maybe?
It is a security risk because IE does "mime sniffing", that means reading the first 256 bytes of the file, to find out what kind of file it is handling if a file's extension differs from the signature (=first few bytes of the file) or the content type in the HTTP header field.
So if there is malicious javascript or html in the file, IE will execute that code.
Disabling the security feature introduced in phpBB exposes your site to potential code injection.

Desdenova
Registered User
Posts: 646
Joined: Sat Feb 23, 2008 7:25 pm

Re: Can not open attached file directly with I.E. without sa

Post by Desdenova » Sat Jun 05, 2010 5:46 pm

stokerpiller wrote:So doing what earlier suggested would cause a security issue?
Yes.
http://blog.phpbb.com/2008/10/25/attach ... -explorer/

Jan Christensen wrote:@Kellanved:

I try to figure this one out, sorry if I have misunderstood you, english is not my native language. :)

In the file download/file.php it says the following:

Code: Select all

// Send out the Headers. Do not set Content-Disposition to inline please, it is a security measure for users using the Internet Explorer.
	$is_ie8 = false; //(strpos(strtolower($user->browser), 'msie 8.0') !== false);
	header('Content-Type: ' . $attachment['mimetype']);

*Note: The above code is after implementing the suggested code change*
As I understand the explanation in the code, the security issue concerns the Content-Type, but the suggested code change by Stef775 does not have anything to do with the Content-Type, as I understand it?

Maybe I did not understand this properly and missed something important?
The variable $is_ie8 causes additional headers to be sent which instructs Internet Explorer 8 to not attempt to open/execute the file being opened, see this blog post: http://blog.phpbb.com/2008/10/25/attach ... -explorer/
Sajaki wrote:
Jan Christensen wrote:I would say that the question about how this can be a security risk is very important, so maybe we can have a dialog about this and some serious support maybe?
It is a security risk because IE does "mime sniffing", that means reading the first 256 bytes of the file, to find out what kind of file it is handling if a file's extension differs from the signature (=first few bytes of the file) or the content type in the HTTP header field.
So if there is malicious javascript or html in the file, IE will execute that code.
Disabling the security feature introduced in phpBB exposes your site to potential code injection.
That is exactly it.
Jan Christensen wrote:The best answer?

Its the very statement my question is about - I ask how this is a security issue, and you tell me the same statement is the best answer Im gonna get, you must be joking?

Seriously you do not expect me or others to blindly trust anything we read without asking questions and debate stuff?

I would say that the question about how this can be a security risk is very important, so maybe we can have a dialog about this and some serious support maybe?
Disabling the check that is there will allow a hacker to upload a file that exploits IE8's poorly thought-out design with downloading files and may allow them to infect IE users with viruses, trojans, and other nasty things. It is NOT a trivial change to disable this.

Jan Christensen
Registered User
Posts: 140
Joined: Sun May 16, 2004 10:42 am
Location: Denmark

Re: Can not open attached file directly with I.E. without sa

Post by Jan Christensen » Fri Jun 11, 2010 3:21 am

Thank you so much, finally a good explanation I can use, much apreciated! :D

So if the changed code, (changed as suggested), is used on a board that is closed to the public, and where only trusted users can upload files, it will not be a security issue after all, is that correct?
Jan Christensen • Danish language package author • Olympus DK Team

Desdenova
Registered User
Posts: 646
Joined: Sat Feb 23, 2008 7:25 pm

Re: Can not open attached file directly with I.E. without sa

Post by Desdenova » Fri Jun 11, 2010 3:29 am

Jan Christensen wrote:Thank you so much, finally a good explanation I can use, much apreciated! :D

So if the changed code, (changed as suggested), is used on a board that is closed to the public, and where only trusted users can upload files, it will not be a security issue after all, is that correct?
No, it would be a security issue still. The vulnerability would remain there, waiting to be abused. If you remove it, you'd better be on top of every user on that board, their interactions, and be ready to remove the ability to upload files at the drop of the hat; otherwise you'll be caught asleep at the switch if someone has a bad day and decides they want to abuse your site to infect another user.

Then there's also the possibility of a user being infected with a virus and unwaringly uploading an infected file which exploits the above on other users, too.


In the end, you are best off reversing that change and living with a few extra steps to open a file. Laziness is not an excuse when you are compromising the personal and financial security your users.

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Can not open attached file directly with I.E. without sa

Post by Phil » Fri Jun 11, 2010 3:31 am

That is assuming that all other security features hold steadfast as well -- if a user unknowingly uploads a malicious file or a user from the general "public" joins and decides to wreak havoc there will, of course, be problems (along with numerous other potential instances). Under no circumstances will we recommend or justify the removal of security features, but it ultimately comes down to "it is your forum, you may do as you wish;" be aware, however, that in the event your board is compromised, we will not aid you in rectifying the situation.
Moving on, with the wind. | My Corner of the Web

Jan Christensen
Registered User
Posts: 140
Joined: Sun May 16, 2004 10:42 am
Location: Denmark

Re: Can not open attached file directly with I.E. without sa

Post by Jan Christensen » Sat Jun 12, 2010 12:50 am

Thanks again, I learn a lot reading your answers. :)
In the end, you are best off reversing that change and living with a few extra steps to open a file. Laziness is not an excuse when you are compromising the personal and financial security your users.
Oh, if it was laziness this topic was about it would be easy enough just to set it as is and not change anything, but Im afraid it is not that simple.

The problem is, that the forum this issue is about, is bound to be able to open the uploaded files directly, because the files uploaded are all in notebook format. (i.e.: filename.notebook)

This format is used with SMART Notebook, and other SMART Board features - it is products used in educational institutions as schools and universities (For further information about these, look here). Without being able to open the uploaded files at once using the Notebook software, the files can not be opened properly.

So because of this, it is a great dilemma that I am trying to figure out how to solve, but without compromising security issues in any dangerous ways, or at best - not to compromise it at all.

Offcause I am also in contact with the supporters of these SMART products, but so far I have not been able to find a secure solution to this matter.
Jan Christensen • Danish language package author • Olympus DK Team

User avatar
lurttinen
Translator
Posts: 4670
Joined: Tue Sep 21, 2004 12:05 pm
Location: Tampere, Finland
Name: Martti Lokka
Contact:

Re: Can not open attached file directly with I.E. without sa

Post by lurttinen » Sun Jun 13, 2010 5:48 pm

You would need to change the code, but one way might be to create an exception for filename.notebook
ie, if the file is .notebook, don't send headers or send something else which allows the file to processed as you want.

In this case, the security feature for the rest of the files is still there, but only one file type gets through.
This is not an ideal case either, but would it be possible for you and your staff to review all uploaded .notebooks before they are made public?
Or can you check the file what it claims to be during upload?

Something like that might still let your users open the files directly and you could be sure about the security.
Signature is here

stokerpiller
Registered User
Posts: 1934
Joined: Wed Feb 28, 2007 8:06 pm

Re: Can not open attached file directly with I.E. without sa

Post by stokerpiller » Sun Jun 13, 2010 6:26 pm

Hand on the heart.
This is not more dangerous than external linking, is it?
Or if we used an external upload service?
I am done with phpBB

User avatar
Marshalrusty
Project Manager
Project Manager
Posts: 29251
Joined: Mon Nov 22, 2004 10:45 pm
Location: New York City
Name: Yuriy Rusko
Contact:

Re: Can not open attached file directly with I.E. without sa

Post by Marshalrusty » Sun Jun 13, 2010 9:05 pm

stokerpiller wrote:Hand on the heart.
This is not more dangerous than external linking, is it?
Or if we used an external upload service?
In that case, the image would be on another domain and your browser would restrict is as such. Uploads through phpBB are on the same domain as the board.
Have comments/praise/complaints/suggestions? Please feel free to PM me.

Need private help? Hire me for all your phpBB and web development needs

Post Reply

Return to “phpBB Discussion”