Fixed Asset upload does allow unprivileged admins to upload arbitrary images and overwrite style images


Well-known member
Affected version
2.2 Beta 1
Steps to reproduce
  1. Create a style and upload a logo
  2. Create an admin with the only permission to view statistics
  3. Login with the admin account created in step 2
  4. Navigate to admin.php?stats/
  5. Open up browser developer tools
  6. Using the developer tools, modify the form to have action="/admin.php?assets/upload" enctype="multipart/form-data"
  7. Again using the developer tools, add <input type="file" name="upload"><input type="hidden" name="type" value="logo"> to the form
  8. Click the select file button and select an image with the same name as the logo uploaded in step 1 buth with different content
  9. Click on button Show
Expected Result
The attempted upload does fail with some error message

Actual Result
The logo does get overwritten
Last edited:

XF Bug Bot

XenForo bug fixer bot
Staff member
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.0 Beta 2).

Change log:
Ensure admins have permission for the type of asset they're trying to upload
There may be a delay before changes are rolled out to the XenForo Community.