MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Suggestions and Feedback > Better Attachment Security
Full Version: Better Attachment Security
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Joenn A.

2011-07-22, 09:13 AM
Hello there guys, I guys wanna suggest to add a better of hard to find file for attachment, I mean, the folder where the attachment uploaded, it must have better security because I know people can access the attachment folder for MyBB but I won't mention names or where I got that information, if the staff want to know, just PM me, or I think they know.

Nathan Malcolm

2011-07-22, 09:37 AM
Attachments are stored like: post__1182786936.attach

1182786936 is the timestamp of the time that the attachment was uploaded. You'd need to know the timestamp, to the exact second, to access the attachment directly.

Could you elaborate on what your trying to say?

Joenn A.

2011-07-22, 10:39 AM
I mean, some MyBB plugin developer has a premium plugins and some people download it as a guest. ANd they access it directly and download and get nulled.

Nathan Malcolm

2011-07-22, 10:50 AM
This was discussed before.

They didn't download as a guest. They subscribed, downloaded and leaked.

No PoC, no vulnerability.

if($forumpermissions['canview'] == 0 || $forumpermissions['canviewthreads'] == 0 || ($forumpermissions['candlattachments'] == 0 && !$mybb->input['thumbnail']))

{

	error_no_permission();

}

frostschutz

2011-07-22, 10:58 AM
It's possible to download them if your server is misconfigured (Option +Indexes), because MyBB creates subfolders for attachments without also creating an index.html in them. So if your webserver is configured to automatically create a directory index, that's that.

Other folders (like the admin/backups) have index.html in them to prevent that eventuality but again, if your webserver is misconfigured (Option +Indexes and DirectoryIndex not including index.html), anyone can download your database backups.

Same thing goes if the webserver makes suggestions for supposedly mistyped filenames. If the webserver reveals the names of your files, you're dead.

It's not a security issue of MyBB in that MyBB doesn't have a choice but to put these files in the html folder and it's your webserver that has to prevent the users ability to download them without knowing their name.

Of course it's also possible that there's a bug in MyBB somewhere that enables people to access attachments. But so far no one has brought up any proof in that regard. If that was really possible the affected site owners should be able to tell from their webserver logs and/or if that's insufficient, they should be able to add additional logging mechanisms to their board.

Joenn A.

2011-07-24, 04:12 AM
<embarrassing image>
See that. That's the post in the forum.

EDITed

Nathan Malcolm

2011-07-24, 05:53 AM
Are you implying you believe everything you read on the internet? That's what they want people to think.

Without any PoC, no one could do anything anyway.

Joenn A.

2011-07-24, 08:05 AM
Okay then, I think I'm thinking a lot now.
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Suggestions and Feedback > Better Attachment Security