Fixed Asset upload does allow unprivileged admins to upload arbitrary images and overwrite style images

K

Kirby

Well-known member
Affected version
2.2 Beta 1
Steps to reproduce
  1. Create a style and upload a logo
  2. Create an admin with the only permission to view statistics
  3. Login with the admin account created in step 2
  4. Navigate to admin.php?stats/
  5. Open up browser developer tools
  6. Using the developer tools, modify the form to have action="/admin.php?assets/upload" enctype="multipart/form-data"
  7. Again using the developer tools, add <input type="file" name="upload"><input type="hidden" name="type" value="logo"> to the form
  8. Click the select file button and select an image with the same name as the logo uploaded in step 1 buth with different content
  9. Click on button Show
Expected Result
The attempted upload does fail with some error message

Actual Result
The logo does get overwritten
 
Last edited:
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.0 Beta 2).

Change log:
Ensure admins have permission for the type of asset they're trying to upload
Click to expand...
There may be a delay before changes are rolled out to the XenForo Community.
 

Similar threads

K
Not a bug Asset upload does not accept SVG
Replies
2
Views
665
Kirby
K
P
  • Suggestion Suggestion
Lack of interest Style property to set a default asset location per style (and generic asset upload function)
Replies
0
Views
739
Paul B
P
W
  • Question Question
XF 2.0 I want to upload images and access them
Replies
6
Views
2K
Brad Padgett
Brad Padgett
Back
Top Bottom