Security Question Regarding Anonymous Attachment Downloading

aegersz · October 03, 2018, 10:23:28 PM

I am still seeing vast amounts of data being downloaded from my site and i still can't account for it.

I noticed that when i linked to an attachment from outside the forum, the image path had DL and the attachment number (unless i am mistaken).

What security does SMF provide to prevent unauthorised downloading of any or all attachments ?

I just turned off the ability of guests to view attachments but does that mean all this time anybody could link to any attachment starting from the first to the last by looping around and incrementing the attachment number ?

could you please explain how attachment security works ?

shawnb61 · October 03, 2018, 10:33:36 PM

Short version: your normal authentication.

Those dl links are just another hit on your site. You are authenticated. If you are logged on, & you have a valid cookie, it's used. If not, you are a guest.

Biology Forums · October 03, 2018, 10:44:57 PM

Why not make attachment download exclusive to members?

Aleksi "Lex" Kilpinen · October 03, 2018, 11:51:40 PM

Quote from: aegersz on October 03, 2018, 10:23:28 PM
What security does SMF provide to prevent unauthorised downloading of any or all attachments ?

I just turned off the ability of guests to view attachments but does that mean all this time anybody could link to any attachment starting from the first to the last by looping around and incrementing the attachment number ?

could you please explain how attachment security works ?

Permissions. The attachments are not directly accessible, unless you use the download link under the post it was attached to, and that link will check if you have permission to view the attachment.

If you allow guests to view attachments, then you allow everyone and anyone to download them.

Arantor · October 04, 2018, 02:38:03 AM

It may also be avatars depending on your configuration, they're also served via the attachments system by default in 2.0, only without a permissions check. (SMF checks if the file is an avatar or not before deciding if it needs a permissions check.)

If in doubt, try to access an attachments link in another browser and see what happens.

aegersz · October 04, 2018, 04:40:53 AM

yes, i can not access the attachments now that i denied that permission to guests.

but i was certainly able to prior.

i am hosting some bare-bones HTML pages to non-members so they can download music but when i added basic <img> support, i was horrified that i could see the image attachments from boards that are not visible to forum guests.

this is no longer happening but i added basic apache2 security to those directories under my web root also.

Arantor · October 04, 2018, 06:53:47 AM

I'd double check your permissions, because one of the checks it does is check board access...

Maybe a mod has changed it.

aegersz · October 04, 2018, 01:06:35 PM

mods may change Permissions ?

i hadn't even considered that.

i am marking this as resolved and look forward to a significant decrease in 'attachment' theft. i suspect that bots and spiders have been indexing images, documents and music - all of which i don't want !

thanks for help.

Arantor · October 04, 2018, 02:55:31 PM

Mods cN change anything seeing how they can literally find and replace anything. It's entirely possible a mod broke the standard security check.

News:

Security Question Regarding Anonymous Attachment Downloading