RSS Feed/News Temporary attachments should only be viewable by the session/user which adds them

Status
Not open for further replies.
ENXF NET

ENXF NET

Administrator
Staff member
Administrator
Moderator
+Lifetime VIP+
S.V.I.P.S Member
S.V.I.P Member
V.I.P Member
Collaborate
Registered
Joined
Nov 13, 2018
Messages
26,862
Points
823

Reputation:

XenForo implements temporary attachments without additional constraints to view them. This sadly can be exploited for spam:

BassMan said:
BassMan said:
Or this one...

Upload images in the quick editor and never post a reply. Use the URL of those images in an email for various phishing attacks. The URL points to your forum (images are uploaded to your server).
Click to expand...
Click to expand...
BassMan
The only real solution is to lock viewing temporary attachments to the session which created them for guests, or for the logged in user.

Continue reading...
 
Status
Not open for further replies.
Top