Inline attachments problem with .htaccess

[fractalbit]

Hello, we have the following problem in our site (smf 2.0.15):
There are many posts which have img tags with the direct url of the attachement like that:

Code Select Expand

[img]http://mydomain.com/forum/attachments/image.jpg[/img]
The images in these posts do not show up. Trying to access the image directly we get a forbidden 403 error.
The images also do not load if i enable image proxy.
Searching the matter i noticed that there is an .htaccess file in the attachments folder which includes the following code:

Code Select Expand


<Files *>
    Order Deny,Allow
    Deny from all
    Allow from localhost
</Files>


If i remove the above code from .htaccess the images load correctly, both directly and with image proxy enabled.
So my questions:
1. Is it safe to remove the above code? Does it only prevent hotlinking or there are other serious safety reasons to keep it in place? (If it helps your evaluation we have blocked the addition of new attachements from the admin section, so no new attachments can be written to the folder.)
2. If it is not advised to remove the above code, what choices do we have since we have a lot of posts with many images directly linked with the absolute url?

[Arantor]

There are other serious safety concerns with this.

1. If someone knows the path to the file, they can directly access it bypassing any attachment protections.

2. Potentially this would enable someone to upload a dangerous file to your server that could be accessed.

I'm more intrigued how you get files in the attachments folder that don't have the encrypted filenames... how old is the forum?

[fractalbit]

The forum is very very old and was upgraded to smf 2.0.15 about a year ago (probably when the problem occured). I saw that the .htaccess file was added since v1.0.17 and we were for many many years without a newer version (since the site was heavily modified).

Since the new attachement option is disabled in the admin though, does'nt that mean that this is like any other folder with images and files in it?

[fractalbit]

Is there a way to allow direct access only for images? (ex. jpg, png, gif). Would that be safer?

[Arantor]

If you don't ever enable attachments again, and never upgrade beyond 2.0.x, you're probably safe. But I'm fairly certain 2.1 will break your attachments and workflow permanently.

How many instances (roughly) are we talking about here?

[fractalbit]

Well i cannot be certain about the amount of posts with the problem, but there are thousands of attachments in the attachments folder
There are also many files without extension and weird names in this folder. Could those be encrypted attachments from the upgrade we made?

For now i left the code intact and added this below:

Code Select Expand


<Files ~ "\.(jpg|jpeg|png|gif)$">
   order deny,allow
   allow from all
</Files>


Seems ok?

[Arantor]

The many files without extension are any attachments added after SMF made that protection mandatory instead of optional (back in 2009, I might add).

That looks OK - but note that I still think if you try to upgrade beyond 2.0.x you will run into problems.

[fractalbit]

Thanks for all the help

The site started it's operation in 2002!

Can you elaborate more as to what problems?

[Arantor]

I'm not 100% sure exactly what 2.1 will do. There are changes in the bowels of 2.1 to make the attachments system more resilient but yours is an untested case as far as I know - it may simply rename a bunch of files to add .dat on the end, or it may convert all of them to have the encrypted filename + .dat on the end.

Whatever, I'm sure the migration to 2.1 will do *something* and whatever it does do, existing links will all break at that point.