Thread: Guest can download free with .rar file type extension
View Single Post
  #1  
Old 10-05-2009, 03:15 AM
giaxaydung giaxaydung is offline
 
Join Date: May 2008
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Guest can download free with .rar file type extension
My forum get trouble. Server allway shutdown. I find out that when I attachment some kind of file in a post, guest can download the file with .rar extension. They needn't sign in when they download file from my site. They copy attachment file link to other site and make my server overload.

FX: I have a post attached some files in .doc, .pdf, .rar, only .rar files guests can download (they can not .doc, .pdf). You even can use accelator download software (Flash get).

I store the attachments in the filesystem. Do you think this is a security hole in VBB 3.8.4.
I tried to find out at:
1. Admincp > Attachments > Attachment Permissions
2. I checked in Forum Permissions, look at the Unregistered Usergroup and set Unregistered Can Not Download Attachments. I also checked the same permission under Usergroup Manager > Unregistered Usergroup.
But the problem still remain.

What can I do to set permissions with .rar files ? Can you help me fix this problem ?

My server, CPU and MySQL always hang, die... Help me please. Thanks.

--------------- Added [DATE]1254717505[/DATE] at [TIME]1254717505[/TIME] ---------------

In View Permission I found about permission setting for Unregistered / Not Logged In. All of them set No value for Can View Attachments and Can Post Attachments.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01326 seconds
  • Memory Usage 1,764KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete