At In-Portal all user uploaded files are stored in "/system/" folder, which accessible from the Web. This way an attacker can probe that folder to see which of files he/she is interested in is present to perform his attack.

There are several solutions to this:

• completely randomize the name of uploaded file (not even a hash from filename, but just a random string)
• append/prepend random string to the name of uploaded file

The complete randomization is of course more secure solution, but in case, when uploaded files are not images (images can be found later by their thumbnail) this can be become a nightmare for users. Therefore partial randomization seems like a viable solution.

Solution

1. add public "\kUploadHelper::randomizeFilename($filename)" method, that will: - 0.5h
   1. generate random 16 byte string using "SecurityGenerator::generateBytes(8)" method call
   2. inject it in here "{file_name}_{random_string}.{file_extension}"
2. in the "\kUploadHelper::getUploadedFilename" method wrap response with "\kUploadHelper::randomizeFilename" method call - 0.3h
3. in the "\kUploadFormatter::_processRegularUploader" method, when file was uploaded (the error is UPLOAD_ERR_OK) but before any validation happens wrap "$value['name']" with  "\kUploadHelper::randomizeFilename" method call - 0.2h

Quote: 1h*1.4=1.5h

Related Discussions

• /wiki/spaces/BUG/pages/4358309 (blocker)

Related Tasks