Place Your Ad Here

Bug Temporary attachments should only be viewable by the session/user which adds them

There is a bug in this version
X

Xon

Guest
XenForo implements temporary attachments without additional constraints to view them. This sadly can be exploited for spam:

BassMan said:
BassMan said:
Or this one...

Upload images in the quick editor and never post a reply. Use the URL of those images in an email for various phishing attacks. The URL points to your forum (images are uploaded to your server).
Click to expand...
Click to expand...

The only real solution is to lock viewing temporary attachments to the session which created them for guests, or for the logged in user.

Continue reading...
 
You must log in or register to reply here.

Similar threads

E
XenForo Fatal Error: gd-webp cannot allocate temporary buffer
Replies
0
Views
68
XenForo Development & Modifications
estranged
E
C
XenForo How can I temporary disable google authenticator?
Replies
0
Views
320
XenForo Development & Modifications
Cannabis Ape
C
دراجي سوفت
Hydra Tool HYDRA DONGLE ( MTK MODULE - MAIN MODULE ) NOT OPEN TEMPORARY SOLUTION
Replies
0
Views
625
Hydra Tool
دراجي سوفت
دراجي سوفت
S
XenForo [E_WARNING] curl_setopt_array(): Unable to create temporary file
Replies
0
Views
584
XenForo Development & Modifications
Salamanca
S
C
XenForo Attachments unassociated since 2.3.4
Replies
0
Views
16
XenForo Development & Modifications
CedricV
C
Top Bottom
Back