| Page Properties | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
At In-Portal all user uploaded files are stored in "/system/" folder, which accessible from the Web. This way an attacker can probe that folder to see which of files he/she is interested in is present to perform his attack.
...
Append moderate length random string (e.g. 10 symbol long alpha-numeric string where letters can be case-sensitive) at the end of uploaded filename. This way "easy_to_guess_file.jpg" is transformed into "easy_to_guess_file_Aast46gsEd.jpg". Hash must be completely independent from uploaded filename (so that attacher can't generate it himself/herself) and should be random for each In-Portal install.
Related Discussions
- /wiki/spaces/BUG/pages/43582414358309 (blocker)