Drake CMS Official Forums - read-only archive

You are reading the Drake CMS Official Forums archive, available for historical purposes only.

Drake CMS has been rebranded into Lanius CMS, visit the new Lanius CMS Official Forums if you need support about Lanius CMS or Drake CMS -> Lanius CMS migration.
Home page Security issues > Downloads security Permanent link to this page
 
 
Author Message:
awrog
Downloads security
19 December 2007 14:35
Anonymous L.S.

I have a question about the security of my downloads.
Access to the downloads is determined by the Access Group of the Category to which the downloads belong.

If the User Group of a visitor is not 'enough' he/she will not see the downloads in that category and consequently will have no access to the files in that category.

However, when someone, not member of my Drake CMS, 'accidentally' receives a link to a download within a restricted category (not a direct link, but via DrakeCMS) then he will be able to download that file.

Should DrakeCMS not check against the category-table whether someone has access rights tot that particular file, even if it is being accessed from outside the downloads-page from DrakeCMS?

I hope someone can shed some light on this matter.

AWRog
 
stigi
Re: Downloads security
19 December 2007 15:28
Anonymous Quote by awrog:

L.S.

I have a question about the security of my downloads.
Access to the downloads is determined by the Access Group of the Category to which the downloads belong.

If the User Group of a visitor is not 'enough' he/she will not see the downloads in that category and consequently will have no access to the files in that category.

However, when someone, not member of my Drake CMS, 'accidentally' receives a link to a download within a restricted category (not a direct link, but via DrakeCMS) then he will be able to download that file.

Should DrakeCMS not check against the category-table whether someone has access rights tot that particular file, even if it is being accessed from outside the downloads-page from DrakeCMS?

I hope someone can shed some light on this matter.

AWRog


Good note!

I think there should be an access check while entering Downloads area.

However, for normal users it shouldn't be possible to retrieve links of protected download categories, but..

If you can access Downloads (it's enabled), you can access also other pages by changing value of catid.

It should be fixed.
 
legolas558
Re: Downloads security
21 December 2007 00:07
Anonymous Yes, it is a bug and should be properly and formally addressed through the bug tracker
 
Top
 
  Copyright © 2008 Drake CMS official website - Terms of use, Privacy and Copyright statements Powered by Lanius CMS