rejetto forum

Software => HFS ~ HTTP File Server => Bug reports => Topic started by: Rootarded on May 11, 2007, 09:24:42 AM

Title: Security problem when uploading to seured diretory
Post by: Rootarded on May 11, 2007, 09:24:42 AM

Hello.

When upload is allowed to a real folder and the folder itself is password protected, it is possible to bypass the authentication by creating your own HTML form and submitting the files. I've tested and confirmed this problem with version 2.1d (088).

Title: Re: Security problem when uploading to seured diretory
Post by: rejetto on May 23, 2007, 12:32:10 PM

i've been away for long
will check it out asap

Title: Re: Security problem when uploading to seured diretory
Post by: rejetto on May 26, 2007, 03:07:52 PM

ideally, the system would be ok.
Scenario: I may allow upload for anyone, so i can let them put files with a special form, then i can access myself (and only me) that folder, to see the uploaded files. It may, in this sense, be considered a feature.

Realistically, most people wouldn't expect such behaviour (usabilty flaw), thus it could result in a security issue.
I will change the behaviour from next build, and "access" rights will be checked on an upload, not only "upload" rights.