A general question on phpbb security

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
Alastair.Leith
Registered User
Posts: 36
Joined: Wed Aug 24, 2011 1:31 pm

A general question on phpbb security

Post by Alastair.Leith »

I have set one up as a kind of business where my product (training vids) are embedded into the threads.

I have also set it up that only authorised users get to view it.
Is there a danger that someone could view source, see where the files are contained on the server and take the lot?
Is phpbb secure enough for this kind of work?

User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Re: A general question on phpbb security

Post by Arty »

If you post them as attachments, then they'll be secure.

If you post them as links, then no. phpBB has no control over link targets.
Vjacheslav Trushkin / Arty.
Free phpBB 3.1 styles | New project: Iconify - modern SVG framework

Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: A general question on phpbb security

Post by Pony99CA »

They're only secure as attachments if somebody has the Can download files user permission or forum permission set to No, I believe. Otherwise they can access files using the following:

Code: Select all

http://svpocketpc.com/forumtest/download/file.php?id=[whatever]
and just iterate through the IDs.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: A general question on phpbb security

Post by ToonArmy »

Pony99CA wrote:They're only secure as attachments if somebody has the Can download files user permission or forum permission set to No, I believe. Otherwise they can access files using the following:

Code: Select all

http://svpocketpc.com/forumtest/download/file.php?id=[whatever]
and just iterate through the IDs.
If they're attached to a topic you have to have permission to view attachments in that forum to be able to get the attachments. As an example try: http://www.phpbb.com/community/download ... ?id=139023
Chris SmithGitHub

Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: A general question on phpbb security

Post by Pony99CA »

ToonArmy wrote:
Pony99CA wrote:They're only secure as attachments if somebody has the Can download files user permission or forum permission set to No, I believe. Otherwise they can access files using the following:

Code: Select all

http://svpocketpc.com/forumtest/download/file.php?id=[whatever]
and just iterate through the IDs.
If they're attached to a topic you have to have permission to view attachments in that forum to be able to get the attachments. As an example try: http://www.phpbb.com/community/download ... ?id=139023
I already tried something similar on my test board, so I'm confused. Was something in my post incorrect? If at least one of the permissions is not set to No for Guests, guests will be able to download some or all of the files. (Setting the Group permission to No seems to prevent any downloading even if the Group Forum permission is set to Yes; setting the Group Forum permission to No seems to prevent downloading files in that forum even if the Group permission is set to Yes.)

Or, in other words, if both of the permissions are set to Yes for a group (or other groups the user is in), that user will be able to download files as I specified (unless a Never permission is specified, of course).

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

Alastair.Leith
Registered User
Posts: 36
Joined: Wed Aug 24, 2011 1:31 pm

Re: A general question on phpbb security

Post by Alastair.Leith »

The material i refer to is embedded flash?

Though to be honest my hosting service does offer the option to password protect some files.

ps
The problem i have with attaching files is they are well over 2mb in size?

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51980
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: A general question on phpbb security

Post by Brf »

Alastair.Leith wrote:The material i refer to is embedded flash?
The flash from your earlier topic was linked to a swf in a folder on your website. There is nothing to prevent a user from doing view-source and finding out the name of the folder.
If you do not allow folder-browsing on your website, users would need to know the name of the file to browse to it. None of this is controlled by phpBB though. Non-users could always browse directly to your SWF files, if they know their names.

For instance, I can browse directly to the Comets.swf mentioned in your other topic, but I cannot browse to its folder.

ToonArmy
Former Team Member
Posts: 4608
Joined: Sat Mar 06, 2004 5:29 pm
Location: Worcestershire, UK
Name: Chris Smith
Contact:

Re: A general question on phpbb security

Post by ToonArmy »

Pony99CA wrote:I already tried something similar on my test board, so I'm confused. Was something in my post incorrect? If at least one of the permissions is not set to No for Guests, guests will be able to download some or all of the files. (Setting the Group permission to No seems to prevent any downloading even if the Group Forum permission is set to Yes; setting the Group Forum permission to No seems to prevent downloading files in that forum even if the Group permission is set to Yes.)

Or, in other words, if both of the permissions are set to Yes for a group (or other groups the user is in), that user will be able to download files as I specified (unless a Never permission is specified, of course).
f_download and u_download are independent with respects to the permission system, but you require both of them to be allows to download an attachment in a topic.
Chris SmithGitHub

Post Reply

Return to “phpBB Discussion”