Security problem when uploading to seured diretory

Rootarded · **on:** May 11, 2007, 09:24:42 AM

Hello.

When upload is allowed to a real folder and the folder itself is password protected, it is possible to bypass the authentication by creating your own HTML form and submitting the files. I've tested and confirmed this problem with version 2.1d (088).

rejetto · **Reply #1 on:** May 23, 2007, 12:32:10 PM

i've been away for long
will check it out asap

rejetto · **Reply #2 on:** May 26, 2007, 03:07:52 PM

ideally, the system would be ok.
Scenario: I may allow upload for anyone, so i can let them put files with a special form, then i can access myself (and only me) that folder, to see the uploaded files. It may, in this sense, be considered a feature.

Realistically, most people wouldn't expect such behaviour (usabilty flaw), thus it could result in a security issue.
I will change the behaviour from next build, and "access" rights will be checked on an upload, not only "upload" rights.

Security problem when uploading to seured diretory

Rootarded

Security problem when uploading to seured diretory

rejetto

Re: Security problem when uploading to seured diretory

rejetto

Re: Security problem when uploading to seured diretory