Security issue - Download attachments submitted by others #2615
This fixes a security issue where, by crafting a special POST request to the client open.php page, an (unauthenticated) user could get a URL link to access to any attachment already uploaded in the system by guessing or brute-forcing the file's ID number. This patch addresses the issue by registering the uploaded file's ID in the current user's session. When processing the list of file ID's attached to the FileUploadField, the files must already have been attached to the field or have been newly attached in the current session. Fixes osTicket#2615 References: "Security issue - Download attachments submitted by others" osTicket#2615
@fabiopires would you be able to re-test with the patch in #2618. Using Firefox I was able to resend a POST like what you described and it seems fixed. Also, my initial tests seem to show that the system seems to work correctly with the fields in the thread-entry widget like you depict as well as with the "File Upload" field used separately in various other forms.
Nice, it's solved. Nice work.
To disclosure this vuln with responsability, we wanted to ask you when the last version will become public ?
Please let us known in order to respect some time to let all users update their versions. :)
In our blog we will credit your excelent dev team for being so fast answering us in order to solve everything quick as possible.