[Typo3] Securing attacments in chc_forum

Steve Webster steviewebsite at msn.com
Wed Apr 6 01:21:16 CEST 2005


Hi Y'all,

I have a question.  I'm using chc_forum and have some forums that are only accessible to a subset of web-site/forum users.  Within this secure Forum I allow forum users to upload attachments.

My question is this.  When you attach a file to a forum posting the attachment is uploaded to ./uploads/tx_chcforum/.  Therefore, based on the type and name of the upload, it is possible for someone to guess the filename and request the attachment directly even though they would not normally have access to the private forum.

Is there any way around this.  I'm guessing this would be an enhancement request to the existing chc_forum implementation (Zach?).  A true solution would be to store these attachments outside of the web document root and then provide a PHP call that could retrieve them providing your pass proper credentials.  Another, probably easier, way to implement a less secure solution would be to name the uploaded attachments using some sort of hashing algorithm that would make it suitably hard to guess the name of attachments (although determined hackers could still attempt brute force attacks).

Cheers,

Webbo

PS - Zach - I managed to resolve my issue from a few days ago with quoted text not being displayed correctly - thanks again.


More information about the TYPO3-english mailing list