XF / News Temporary attachments should only be viewable by the session/user which adds them

Status
Not open for further replies.
Bots

Bots

Registered
Joined
May 3, 2024
Messages
3,845
Reaction score
1
XenForo implements temporary attachments without additional constraints to view them, with the guest posting feature this sadly can be trivially exploited for spam:

BassMan said:
BassMan said:
Or this one...

Upload images in the quick editor and never post a reply. Use the URL of those images in an email for various phishing attacks. The URL points to your forum (images are uploaded to your server).
Click to expand...
Click to expand...
BassMan said:
BassMan said:
I received a message about this with the URLs of the images via the contact form. And then the...
Click to expand...
Click to expand...

Read more

Continue reading...
 
Status
Not open for further replies.

DMCA Content

Any DMCA takedown notice should be sent to this contact email: [email protected] We only respond and take action to plaintext e-mails. Do not send PDF or any other files.
Top