|
At In-Portal all user uploaded files are stored in "/system/" folder, which accessible from the Web. This way an attacker can probe that folder to see which of files he/she is interested in is present to perform his attack.
There are several solutions to this:
The complete randomization is of course more secure solution, but in case, when uploaded files are not images (images can be found later by their thumbnail) this can be become a nightmare for users. Therefore partial randomization seems like a viable solution.
Append moderate length random string (e.g. 10 symbol long alpha-numeric string where letters can be case-sensitive) at the end of uploaded filename. This way "easy_to_guess_file.jpg" is transformed into "easy_to_guess_file_Aast46gsEd.jpg". Hash must be completely independent from uploaded filename (so that attacher can't generate it himself/herself) and should be random for each In-Portal install.
Tasks, created to fix this bug.