[TYPO3-english] Extension naw_securedl bug or intentional?
Bas
bvbmedia at gmail.com
Sat Jun 27 16:15:43 CEST 2009
Hi henrik,
Im aware of this security issue.
I fixed it by using a modrewrite rule that checks if a specific cookie is set.
Once the fe user logs in i set the specific cookie. That way its more secured.
Ps beware to set your own cookie and not use the fe user cookie cause that one is always defined (also for not logged in users).
Regards,
Bas van Beek
----- Oorspronkelijk bericht -----
Van: Henrik Fosgerau <hf at oerskov.dk>
Verzonden: woensdag 24 juni 2009 15:05
Aan: typo3-english at lists.netfielders.de
Onderwerp: [TYPO3-english] Extension naw_securedl bug or intentional?
I'm using the extension "Secure downloads" - naw_securedl
It works as described - allowing access to files only for some FE-user
groups.
But after testing access to files, I discovered that I can access protected
files without being logged in as a FE user.
In the backend interface I accessed the file from the fileadmin module list
of files.
The URL I got via backend is similar to the protected frontend URLs.
Example:
/index.php?eID=tx_nawsecuredl&u=0&file=fileadmin/Folder1/Folder2/filename.pd
f&t=1543931241&hash=5cea3933c0ac248f5fba25360785a260
When I use this URL I can access the file from a browser without being
logged in as a FEuser.
Does anybody know if this behavior is intentional or a bug?
Henrik Fosgerau
_______________________________________________
TYPO3-english mailing list
TYPO3-english at lists.netfielders.de
http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
More information about the TYPO3-english
mailing list