attachment_hash can allow circumvention of permissions/quotas

Affected version
2.2.3

pegasus

Well-known member
I've noticed that when a post is submitted with an attachment_hash present, no validation is performed to check that the hash was generated for the same content-editor, or worse yet, even the same user account.

In the worst case, although highly unlikely, this can allow a user to "steal" attachments that were uploaded by another user and associate them to their post first (either they know the hash or they guessed the hash).

An easier example: a user with access to multiple accounts can use this to circumvent quotas on one account, if the quota has not been reached on the other account. The quota can effectively be transferred simply by copying the appropriate attachment_hash into the other account's editor HTML and submitting.

Within a single account, this can be exploited to circumvent constraints. For example, let's say a user is only allowed to attach 10 files to a single post (setting "Maximum attachments per message"). And they already have 10 files on the post. The user can start attaching the files to a new post, but copy and paste that attachment_hash into the HTML of the other post's editor. When they save the existing post, the attachments from the new post will be associated to it without complaint. In doing so, it is possible to upload an additional infinite files to a single post and break the constraints. I understand that fixing this one can be trickier, due to drafts.
 
Top