MyBB Community Forums

This patch will make mybb chmod the attachment folders for each month to 0750. This will make it so the attachment files cannot be viewed through the browser, which is useful for sites that make their users pay to download attachments (such as subscription plugin sites and such). Normally you could just goto something like http://mysite.com/mybb/uploads/201210/ and view all of the attachments (they do get renamed to something random, but you can still open with winzip, or whatever program would normally open the file). This patch will now add a fallback and add an index.html to the directory so you cannot see the list of files even if for some reason you can view the directory.

In inc/functions_upload.php

Find:

if(!@is_dir($mybb->settings['uploadspath']."/".$month_dir))
{
$month_dir = '';
}

Add after:

else
			{
				@chmod($mybb->settings['uploadspath']."/".$month_dir, 0750);
				$fh = @fopen($mybb->settings['uploadspath']."/".$month_dir."/index.html", "a+");
				fclose($fh);
			}

NOTE: if you use the patches plugin you can download an xml file that will let you automatically apply the patch after updates to mybb in the attachments for this thread.

That won't help most people. (In most setups, when PHP has permissions to store files, the webserver will also have permission to read them).

What MyBB should be doing is create an empty index.html in the folders it creates.

What you should be doing is disable your webserver's generating of directory indexes for dirs that don't have an index.html. (Options -Indexes or whatever in .htaccess, as it's done by MyBB's htaccess.txt example).

Automatically generated indexes can compromise your sites security, especially your admin/backups folder, if the index.html in there goes missing for any reason, anyone can download your database backups. The only protection is the random filenames...

Really? It's always worked fine on every server i've ever used. Guess it won't be hard to make this change to the patch