Cannot reproduce Private messages images IDOR
- Thread starter Karelke
- Start date
I initially deleted this as if this was a genuine security issue then it would need to be disclosed in private.
However, after some testing, I do not believe the report to be correct.
The hash value is only required and impacts the actual attachment that hash belongs to. The attachment hash will belong to any attachment that is uploaded to the content that you are currently creating. All attachments with that hash will then be associated to the content once the content has been created.
When the attachment is not associated to any content, the hash is required to view it.
When the attachment is associated with content, you are only permitted to view the attachment if you actually have permission to view that content.
Because I'm an admin here I was able to track down a conversation message attachment that actually exists.
The URL to it is this:
https://xenforo.com/community/attachments/222205/
If what you are saying is accurate then we'd be able to stick a valid attachment temporary hash to that URL and make it work:
https://xenforo.com/community/attachments/222205/?hash=9b417a5b77a765661ad4e59ef75cea90
But it doesn't.
I can try different attachment IDs, such as this one:
https://xenforo.com/community/attachments/222204/
And it will work (with or without the hash) but that's because it belongs to this content which we all should be able to view, anyway because we have permission to view it:
xenforo.com
If there is more to this please feel free to submit a ticket or start a conversation with us.
If you are reproducing different results on your forum then it would be best to discount any add-ons causing issues there.
However, after some testing, I do not believe the report to be correct.
The hash value is only required and impacts the actual attachment that hash belongs to. The attachment hash will belong to any attachment that is uploaded to the content that you are currently creating. All attachments with that hash will then be associated to the content once the content has been created.
When the attachment is not associated to any content, the hash is required to view it.
When the attachment is associated with content, you are only permitted to view the attachment if you actually have permission to view that content.
Because I'm an admin here I was able to track down a conversation message attachment that actually exists.
The URL to it is this:
https://xenforo.com/community/attachments/222205/
If what you are saying is accurate then we'd be able to stick a valid attachment temporary hash to that URL and make it work:
https://xenforo.com/community/attachments/222205/?hash=9b417a5b77a765661ad4e59ef75cea90
But it doesn't.
I can try different attachment IDs, such as this one:
https://xenforo.com/community/attachments/222204/
And it will work (with or without the hash) but that's because it belongs to this content which we all should be able to view, anyway because we have permission to view it:
Unmaintained - Wide Admin Panel
Very useful change if you often work with templates in admin panel and have wide screen Add option to Admin Control Panel options group Origin Admin Board Admin Board with Addon
xenforo.com
If there is more to this please feel free to submit a ticket or start a conversation with us.
If you are reproducing different results on your forum then it would be best to discount any add-ons causing issues there.
Similar threads
- Question
- Question
- Locked
