Sam S. Posted April 6, 2020 Posted April 6, 2020 Full disclosure I am newer to the IPS platform, still trying to get some kinks worked out. I have a concern as I have a forum category limited by only allowing topic creators to see the contents of each post. The purpose of this area is to allow each member to introduce themselves and share personal details. My concern is any attachments upload go into the default upload directory without any more then a randomized 32 char filename encryption. Whats mores-so daunting anyone can have access to "sniff" folder without being logged in (via entering the file URL in a new browser with no cookies / not logged in). I checked SYSTEM -> FILES to see if there was a way to require isLoggedIn but either I'm blind or this function does not exist. Can anyone point me in the right direction to securing the "uploads" of personal attachments? NOTE: Simply changing the DIR is not a secure move for me, as the new directory is still vulnerable, and can be located by anyone hovering over any content uploaded to the site to see the new upload directory.
bfarber Posted April 7, 2020 Posted April 7, 2020 There is no way to "secure" these files, but the randomized value added to every single filename makes it impossible to simply guess the filenames. As long as you have directory indexes turned off (or an index.html file in the folder to prevent it), I really wouldn't be worried about it.
Recommended Posts