1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

As Designed Avatar URLs can be guessed

Discussion in 'Resolved Bug Reports' started by jwiechers, Aug 20, 2011.

  1. jwiechers

    jwiechers Member

    This is not a bug per se, but in case someone is running a forum with very privacy-conscious users which does not provide anything to the outside world but a login screen, this may be a problem.

    Avatars can be accessed, if one knows the proper URL format, by accessing http://<domain>/<forumrootdirectory>/data/avatars/l/0/<id>.jpg
     
  2. Jeremy P

    Jeremy P Well-Known Member

    Seems pretty tedious to fix really. If you're that concerned you can change the config flag and rename/move your data directory.

    PHP:
    $config['externalDataPath'] = '/path/root/whatever';
     
  3. jwiechers

    jwiechers Member

    Well, depends, you could use some form of salted hash, but I know that it's rather minor and not really a bug, but a consequence of the the way things work (both vBulletin and IP.B are vulnerable to this, too).
    That's why I said, that it's not a bug per se.

    I just thought I'd mention it, because a user on one of my projects (that is still in stealth testing, but will be deployed to a select audience) noticed during penetration testing of server and software. It may be seen as rather a drastic security issue if you have a board with, primarily, real life avatars.

    Your suggestion is one way to fix this, though. I'll look into wether people can deduce that path, somehow.
     
  4. Mike

    Mike XenForo Developer Staff Member

    I take the point, though we don't really consider avatars private. Really, this is the best approach for ease of use (from a general development perspective) and performance. You could go trawling through user IDs, though you wouldn't have info about the user to tie it with.

    The suggestion of moving the external data path is likely a reasonable workaround. (Once you have access to the board, you can get basic member info and find all the avatars like that.)
     

Share This Page