[Tickets #5892] Re: Linked attachment feature vulnerability
bugs at bugs.horde.org
bugs at bugs.horde.org
Tue Nov 20 21:10:15 UTC 2007
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=5892
-----------------------------------------------------------------------
Ticket | 5892
Updated By | Chuck Hagenbuch <chuck at horde.org>
Summary | Linked attachment feature vulnerability
Queue | IMP
Version | HEAD
Type | Bug
State | Feedback
Priority | 2. Medium
Owners |
-----------------------------------------------------------------------
Chuck Hagenbuch <chuck at horde.org> (2007-11-20 13:10) wrote:
I have an alternate thought here than the secret id craziness, and having
to determine users by id and email address, which seems really unworkable
if you think about forwarding, aliases, and a bunch of other stuff. My head
spins.
Isn't the simplest answer here to just add an intermediate page? Make it
impossible to download a linked attachment directly - you have to go to the
page first, get a token that's valid for a few minutes, make a POST
request, etc., then you get the file. That way no jar: link could link
directly to a file.
More information about the bugs
mailing list