Skip to content
Snippets Groups Projects
  • Jared Hancock's avatar
    20537408
    files: Only allow files uploaded in this session · 20537408
    Jared Hancock authored
    This fixes a security issue where, by crafting a special POST request to the
    client open.php page, an (unauthenticated) user could get a URL link to
    access to any attachment already uploaded in the system by guessing or
    brute-forcing the file's ID number.
    
    This patch addresses the issue by registering the uploaded file's ID in the
    current user's session. When processing the list of file ID's attached to
    the FileUploadField, the files must already have been attached to the field
    or have been newly attached in the current session.
    
    Fixes #2615
    
    References:
    "Security issue - Download attachments submitted by others"
    https://github.com/osTicket/osTicket-1.8/issues/2615
    20537408
    History
    files: Only allow files uploaded in this session
    Jared Hancock authored
    This fixes a security issue where, by crafting a special POST request to the
    client open.php page, an (unauthenticated) user could get a URL link to
    access to any attachment already uploaded in the system by guessing or
    brute-forcing the file's ID number.
    
    This patch addresses the issue by registering the uploaded file's ID in the
    current user's session. When processing the list of file ID's attached to
    the FileUploadField, the files must already have been attached to the field
    or have been newly attached in the current session.
    
    Fixes #2615
    
    References:
    "Security issue - Download attachments submitted by others"
    https://github.com/osTicket/osTicket-1.8/issues/2615