As designed Avatar URLs can be guessed

[jwiechers]

This is not a bug per se, but in case someone is running a forum with very privacy-conscious users which does not provide anything to the outside world but a login screen, this may be a problem.

Avatars can be accessed, if one knows the proper URL format, by accessing http://<domain>/<forumrootdirectory>/data/avatars/l/0/<id>.jpg

 

[Jeremy P]

Seems pretty tedious to fix really. If you're that concerned you can change the config flag and rename/move your data directory.

$config['externalDataPath'] = '/path/root/whatever';

 

[jwiechers]

Well, depends, you could use some form of salted hash, but I know that it's rather minor and not really a bug, but a consequence of the the way things work (both vBulletin and IP.B are vulnerable to this, too).
That's why I said, that it's not a bug per se.

I just thought I'd mention it, because a user on one of my projects (that is still in stealth testing, but will be deployed to a select audience) noticed during penetration testing of server and software. It may be seen as rather a drastic security issue if you have a board with, primarily, real life avatars.

Your suggestion is one way to fix this, though. I'll look into wether people can deduce that path, somehow.

 

[Mike]

I take the point, though we don't really consider avatars private. Really, this is the best approach for ease of use (from a general development perspective) and performance. You could go trawling through user IDs, though you wouldn't have info about the user to tie it with.

The suggestion of moving the external data path is likely a reasonable workaround. (Once you have access to the board, you can get basic member info and find all the avatars like that.)