V8-archive: [SECURITY] Static Links to uploaded files

Created on 28 May 2019 · 7Comments · Source: directus/v8-archive

Feature Request

About audited Directus version.
It has been cloned from suite repo.
Latest commit https://github.com/directus/directus/commit/1d151a9034514e3f2ec1c80001e7c5fffdef2d4e

Description:

In Internet systems, there is sometimes a file upload mechanism, which allowing the user to upload files to share information between entities that communicate through the application. Files upload mechanism often generate direct links to download the uploaded files from the system. These mechanisms sometimes choose a name of file and store the uploaded file according to the name the chosen on the web server. A mechanism that defines file names in a sequence numbers is an insecure mechanism because it allows guessing of uploaded files more easily, thus allowing access to sensitive personal information.

Business risk:

After exploiting this vulnerability, an attacker can easily guess links to uploaded files.

Technical details:

During the test, it was found that the application’s upload files mechanism generates static links to uploaded files, thing that allows an attacker to get access to uploaded files that were uploaded into the system, even if were uploaded by other users.

screenshot

What problem does this feature solve?

Fixes security hole.

How do you think this should be implemented?

Do not let users to get access to upload files that were uploaded by another users.
Image ID should be chosen by unpredictable way and one-time random token should be appended to the
link in order to prevent exact link guessing.
Implement an authorization mechanism that validate if user authorized to view or download the specific file.

Would you be willing to work on this?

Maybe, with help/guidance from Directus team.

bug duplicate enhancement question

Source

ybelenko

All 7 comments

@benhaynes @rijkvanzanten

As we are going to implement UUID feature for file uploading system, guessing the file name is near to impossible.
Eventhough, if we want to restrict accessing files for unauthorised user, we have to restrict directly accessing of files and create functionality which will check if a user is authorised to access the file or not. To achieve this we need to make changes in system where files are being fetched / accessed.

Please share your thoughts on it.

itsmerhp on 22 Jun 2019

👍1

Is this an exact duplicate of https://github.com/directus/api/issues/987 ?

My comment is the same as on that one.

benhaynes on 24 Jun 2019

👍1

This should be resolved by adding UUID's, the short version of this post is if you see /image-1.jpg, more than likely, you could guess that there's going to be a /image-2.jpg

shealavington on 24 Jun 2019

It will be fixed with the development of #337

bjgajjar on 26 Jun 2019

We need to pay attention to the subtle difference between this and #987 though. This issue states

During the test, it was found that the application’s upload files mechanism generates static links to uploaded files, thing that allows an attacker to get access to uploaded files that were uploaded into the system, even if were uploaded by other users.

By using UUIDs, this _will not_ be fixed, as it's still a public static link.

The business risk will be fixed though:

After exploiting this vulnerability, an attacker can easily guess links to uploaded files.

As the UUID is way harder / impossible to guess. That being said, a UUID _is not_ a hash or any other cryptographically secure method of generating file names, so one could theoretically work out the UUID structure and programmatically "guess" filenames.

@bjgajjar

rijkvanzanten on 26 Jun 2019

@rijkvanzanten You are right, with UUID, we will be only able to achieve the solution so that attacker can't guess the file names.
But still, the unauthorized directory access will be available until we push the fixes for #987 which will be preventing unauthorized access to the files of different users.

@bjgajjar @itsmerhp You can push the fix for #987 and it will automatically fix this issue.