At In-Portal all user uploaded files are stored in "/system/" folder, which accessible from the Web. This way an attacker can probe that folder to see which of files he/she is interested in is present to perform his attack.
There are several solutions to this:
- completely randomize the name of uploaded file (not even a hash from filename, but just a random string)
- append/prepend random string to the name of uploaded file
The complete randomization is of course more secure solution, but in case, when uploaded files are not images (images can be found later by their thumbnail) this can be become a nightmare for users. Therefore partial randomization seems like a viable solution.
Solution
Append moderate length random string (e.g. 10 symbol long alpha-numeric string where letters can be case-sensitive) at the end of uploaded filename. This way "easy_to_guess_file.jpg" is transformed into "easy_to_guess_file_Aast46gsEd.jpg". Hash must be completely independent from uploaded filename (so that attacher can't generate it himself/herself) and should be random for each In-Portal install.
Related Discussions
- /wiki/spaces/BUG/pages/4358241 (blocker)