Fixed Asset upload does allow unprivileged admins to upload arbitrary images and overwrite style images

K

Kirby

Well-known member
Affected version
2.2 Beta 1
Steps to reproduce
  1. Create a style and upload a logo
  2. Create an admin with the only permission to view statistics
  3. Login with the admin account created in step 2
  4. Navigate to admin.php?stats/
  5. Open up browser developer tools
  6. Using the developer tools, modify the form to have action="/admin.php?assets/upload" enctype="multipart/form-data"
  7. Again using the developer tools, add <input type="file" name="upload"><input type="hidden" name="type" value="logo"> to the form
  8. Click the select file button and select an image with the same name as the logo uploaded in step 1 buth with different content
  9. Click on button Show
Expected Result
The attempted upload does fail with some error message

Actual Result
The logo does get overwritten
 
Last edited:
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.0 Beta 2).

Change log:
Ensure admins have permission for the type of asset they're trying to upload
Click to expand...
There may be a delay before changes are rolled out to the XenForo Community.
 

Similar threads

Paul B
  • Suggestion Suggestion
Lack of interest Style property to set a default asset location per style (and generic asset upload function)
Replies
0
Views
733
Paul B
Paul B
Fullmental
XF 2.2 Using REST API to post a media item, no documentation. Help please?
Replies
4
Views
1K
Schaken
Schaken
vbresults
  • Suggestion Suggestion
Revitalize layout for competitive landscape to increase traffic and retention
2 3
Replies
40
Views
4K
vbresults
vbresults
adamgreenough
How to set 'members online' to more than 60 minutes
Replies
18
Views
3K
declan1
declan1
BubbaLovesCheese
  • Question Question
XF 2.1 Dummy's Guide to Importing vBulletin from Another Server
Replies
5
Views
3K
RichDevman
RichDevman
Top Bottom