Uploaded files are available by using their links

ahmadordi · July 26, 2019, 11:03am

First I would like to say that this software is super.
But I just realized one thing that it is also always one of my major problems in web develpment.

The uploaded files are available by using their links in browser, even when I am not logged in. So everyone can see my screenshots and project related data.

If I use it in local server, which is available only in our comapany’s network, so I won’t have any problem, but on a public web server I will have this security issue.

How can I solve it? Any Ideas?

rafaelcamargo · July 26, 2019, 11:33am

I did’t reproduce this behaviour on latest version of kanboard.
I 've copied the attachment link, i.e. http://localhost/kanboard/?controller=FileViewerController&action=download&task_id=1&project_id=1&file_id=1, logged out and when accessed this url, it redirected to login form.

Can you provide a step-by-step to reproduce it? Also, what version are you using? Running on linux or windows? apache, nginx, or other?

ahmadordi · July 26, 2019, 11:41am

Thanks for the answer.
I just checked it in localhost on windows 10 and usinh XAMPP. In localhost, it works really good as you said it redirects to login page.

But when I use it on my VPS server using Linux Ubuntu Server 18.04 on Apache2 and PHP7 it doesn’t work well.

Can you try this link, if you can see the image?
http://h2842982.stratoserver.net/kanboard/?controller=FileViewerController&action=image&file_id=3&project_id=1&task_id=3

ahmadordi · July 26, 2019, 11:47am

I just checked it again in another computer and you are right, it redirects to the login page. I think something is wrong with my browsers and specially opera. I have to clean the cache and then try again.

Thanks again for your answer.

rafaelcamargo · July 27, 2019, 3:13am

Nope, I was redirected to login page. Tried your /data/ dir also and got a 403, so it seems you are safe.

ahmadordi · July 30, 2019, 1:50pm

Thanks again for your help.
By the way, you know how to implement this in PHP? I mean to avoid users accessing the folder of Images for example in root directory. I implement is so, that I put the files outside of the root directory and read the files using php. With images it works fine, but with videos, it blocks the whole site sometimes.

I know that is not related to this program, but I would be very thankful if you can have some advices.

rafaelcamargo · July 30, 2019, 11:51pm

Not with php, but on your web server. In Apache, for instance, you can create a .htaccess file in a directory with additional rules that Apache will apply to that directory and subdirectories. Kanboard has one inside the data folder:

github.com

kanboard/kanboard/blob/master/data/.htaccess

<IfVersion >= 2.3>
    Require all denied
</IfVersion>
<IfVersion < 2.3>
    Order allow,deny
    Deny from all
</IfVersion>

This directives blocks any direct access to any files inside the folder.
For videos, if you still like the browser to access them directly, I recommend you to block the file listing (it can be done with .htaccess or simply putting an index.php file that does nothing) and saving files with randomly generated names, so no one can guess the names and download them.

Topic		Replies	Views
Kanboard portable is available - requesting your feedback	24	1219	September 9, 2023
File encryption	0	334	May 27, 2022
Ubuntu 22.10 - Kanboard Install Issues Installation Issues	4	327	December 20, 2022
Unable to open plugin archive / There is no plugin loaded	4	473	September 14, 2023
Can't reach kanboard site	0	351	November 9, 2020

Uploaded files are available by using their links

Related Topics