Child pages
  • [security, uploader] Randomize name of uploaded files [5.2.2-B1]
Skip to end of metadata
Go to start of metadata
STRIDEInformation Disclosure
Damage potential0
Reproducibility10
Exploitability10
Affected users10
Discoverability10
DREAD Score8
5.1.xYes
RPIYes
Quote1.5h

At In-Portal all user uploaded files are stored in "/system/" folder, which accessible from the Web. This way an attacker can probe that folder to see which of files he/she is interested in is present to perform his attack.

There are several solutions to this:

  • completely randomize the name of uploaded file (not even a hash from filename, but just a random string)
  • append/prepend random string to the name of uploaded file

The complete randomization is of course more secure solution, but in case, when uploaded files are not images (images can be found later by their thumbnail) this can be become a nightmare for users. Therefore partial randomization seems like a viable solution.

Solution

  1. add public "\kUploadHelper::randomizeFilename($filename)" method, that will: - 0.5h
    1. generate random 16 byte string using "SecurityGenerator::generateBytes(8)" method call
    2. inject it in here "{file_name}_{random_string}.{file_extension}"
  2. in the "\kUploadHelper::getUploadedFilename" method wrap response with "\kUploadHelper::randomizeFilename" method call - 0.3h
  3. in the "\kUploadFormatter::_processRegularUploader" method, when file was uploaded (the error is UPLOAD_ERR_OK) but before any validation happens wrap "$value['name']" with  "\kUploadHelper::randomizeFilename" method call - 0.2h

Quote: 1h*1.4=1.5h

Related Discussions

Related Tasks

INP-1714 - Getting issue details... STATUS

1 Comment

  1. Dmitry Andrejev [Intechnic], keep in mind that this to implement mentioned plan the blocker task with 12h quote needs to be done upfront.