Security Alert: Disable image preview on File Upload (AJAX)

[mpfa1073]

Today I received an alert from the security team that the Joomla site was hacked, the hackers tweeted an image located in the server's fabrik upload folder.

After investigation, I conclude that all they did was to upload the image with the fileupload component (in using it in AJAX mode) and they got the image name from the preview image, since the uploads are configured to be renamed to 12 random characters.

How can I disable the preview popup and the small icon link to the same image just uploaded?

Regards,

Marco A.

 

[troester]

If you update from GitHub you'll get an option about the preview.

But I don't understand your "security alert":
The one who is able view the image - yes, he can view the image and the image name. And if he is able to edit/upload he's the "owner" of the image.

 

[mpfa1073]

The form is for sending consumer complaints and the attachments are the proofs of the complaints... those files should be only known to the managers after being uploaded... the problem is that anyone can send any image via upload component and get to know the file name that was saved in the server...

Normally they could not get the name after upload, am i correct?

 

[troester]

I still can't see the problem if somebody is able to see a file uploaded by himself.

But anyway: you can add a php plugin (onBeforeStore I think) and rename the file.

 

[mpfa1073]

Suppose this:

Site with fabrik installed and the files are uploaded to www.site.com/images/uploads
Someone uploads a porn image and after getting it's name, goes to some public place and posts www.site.com/images/uploads/jfdjkfdjkfdkjlfd.jpg

This creates a bad public image about www.site.com

That is what is happening, but instead the "kids" posted the image I attach to this reply.

 

[mpfa1073]

About the use of the php plugin, the fileupload uploads the image after being selected by the user, they don't need to submit the form... so no php plugin will be run

 

[troester]

Ok, I see.
I think then you can't use the ajax file upload.

 

[mpfa1073]

I kind of solved the problem protecting de upload directory with an .htaccess file with a "deny from all" clause... now the "hackers" can't access the files they upload... and regular users will receive the valid files by e-mail anyway so there is no need to make the folder public.

Regards

Marco A.