avatar
Customer
4 Posts

Tickets by User

Ticket By blossom 02 Jul 2018, 06:48

Description:
when a user uploads a file the name of the file is based on the unixtime generated in the client side.
a sophisticated can easy tamper this value to override existing images on the server.

the a better solution would be to use the final file name returned from server after making sure that it's unique.

Component:
Chat Bar

ArrowChat Version:
2.1.x
avatar
Customer
4 Posts

Ticket By blossom 02 Jul 2018, 07:28

i'm willing to donate an improvement to that code, if welcomed.
avatar
Customer
4 Posts

Ticket By blossom 02 Jul 2018, 07:38

also, the maximum file size is client based. a user can upload a huge file and lock the hosting server.

Status Change

Changed ticket status from "New" to "Awaiting team input"
Action performed by Jason » 18 Oct 2018, 22:28

Post a reply


BBCode is ON
[img] is ON
[flash] is ON
[url] is ON
Smilies are OFF

If you wish to attach one or more files enter the details below.