[TYPO3-english] Extension naw_securedl bug or intentional?

Stefan Isak stefan.isak at konplan.com
Wed Jun 24 16:41:50 CEST 2009


Hey,

Have a look at the url parameters and what they stand for :

$u = frontend user id
$file = file path
$t = time stamp 
$hash = md5( $u . $file . $t . $GLOBALS[...]['encryptionKey']);

When you access a file from the backend, the frontend user id is always 0.
Whenever $u is 0, the extension doesn't care about whether a frontend user 
is
logged in or not.

So you get access because you know the url. This should not be a security 
issue,
due to frontend users don't know the encryptionKey and are therefore not 
able
to create a valid url.

So long.
Stefan Isak



Von:
"Henrik Fosgerau" <hf at oerskov.dk>
An:
<typo3-english at lists.netfielders.de>
Datum:
24.06.2009 15:06
Betreff:
[TYPO3-english] Extension naw_securedl bug or intentional?



I'm using the extension "Secure downloads" - naw_securedl 

 

It works as described - allowing access to files only for some FE-user
groups.

But after testing access to files, I discovered that I can access 
protected
files without being logged in as a FE user.

In the backend interface I accessed the file from the fileadmin module 
list
of files.

The URL I got via backend is similar to the protected frontend URLs.

Example:

/index.php?eID=tx_nawsecuredl&u=0&file=fileadmin/Folder1/Folder2/filename.pd
f&t=1543931241&hash=5cea3933c0ac248f5fba25360785a260

When I use this URL I can access the file from a browser without being
logged in as a FEuser.

 

Does anybody know if this behavior is intentional or a bug?

 

Henrik Fosgerau

_______________________________________________
TYPO3-english mailing list
TYPO3-english at lists.netfielders.de
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english




More information about the TYPO3-english mailing list