Uploaded files are available by using their links

First I would like to say that this software is super.
But I just realized one thing that it is also always one of my major problems in web develpment.

The uploaded files are available by using their links in browser, even when I am not logged in. So everyone can see my screenshots and project related data.

If I use it in local server, which is available only in our comapany’s network, so I won’t have any problem, but on a public web server I will have this security issue.

How can I solve it? Any Ideas?

I did’t reproduce this behaviour on latest version of kanboard.
I 've copied the attachment link, i.e. http://localhost/kanboard/?controller=FileViewerController&action=download&task_id=1&project_id=1&file_id=1, logged out and when accessed this url, it redirected to login form.

Can you provide a step-by-step to reproduce it? Also, what version are you using? Running on linux or windows? apache, nginx, or other?

1 Like

Thanks for the answer.
I just checked it in localhost on windows 10 and usinh XAMPP. In localhost, it works really good as you said it redirects to login page.

But when I use it on my VPS server using Linux Ubuntu Server 18.04 on Apache2 and PHP7 it doesn’t work well.

Can you try this link, if you can see the image?

I just checked it again in another computer and you are right, it redirects to the login page. I think something is wrong with my browsers and specially opera. I have to clean the cache and then try again.

Thanks again for your answer.

Nope, I was redirected to login page. Tried your /data/ dir also and got a 403, so it seems you are safe.

1 Like

Thanks again for your help.
By the way, you know how to implement this in PHP? I mean to avoid users accessing the folder of Images for example in root directory. I implement is so, that I put the files outside of the root directory and read the files using php. With images it works fine, but with videos, it blocks the whole site sometimes.

I know that is not related to this program, but I would be very thankful if you can have some advices.

Not with php, but on your web server. In Apache, for instance, you can create a .htaccess file in a directory with additional rules that Apache will apply to that directory and subdirectories. Kanboard has one inside the data folder:

This directives blocks any direct access to any files inside the folder.
For videos, if you still like the browser to access them directly, I recommend you to block the file listing (it can be done with .htaccess or simply putting an index.php file that does nothing) and saving files with randomly generated names, so no one can guess the names and download them.

1 Like